Snort mailing list archives
Re: snort will not log to mysql
From: "Ron Shuck" <rshuck () Buchanan com>
Date: Thu, 5 Jun 2003 15:39:31 -0500
Snort 1.9.0 changed the way portscans are identified, at least if using the new portscan plugin. This should be fixed in the CVS tree for ACID. If I remember right you can modify the file 'acid_stat_common.php' roughly lines 174,177. Hope that helps. Ron Shuck, CISSP, GCIA, CCSE - Managing Consultant Buchanan Associates - A Technology Company in the People Business http://www.buchanan.com http://www.isc2.org http://www.giac.org -----Original Message----- From: snort-users-request () lists sourceforge net [mailto:snort-users-request () lists sourceforge net] Sent: Thursday, June 05, 2003 7:20 AM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #3237 - 11 msgs Message: 1 Date: Thu, 5 Jun 2003 08:50:43 +0200 From: Hans Steinraht <hsteinraht () openlot com> To: Bamm Visscher <bamm () satx rr com> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] snort will not log to mysql Organization: Openlot This works, thanks. On little question, in acid the bar for Portscan Traffic keeps the value 0%, but when I click on it the scans are reported there. Any idea how that comes Hans On Wed, Jun 04, 2003 at 07:48:07AM -0500, Bamm Visscher wrote:
The portscan preprocs call the 'alert' function, not the 'log' function. Change your config so that the data base output plugin attaches to the 'alert' facility: output database: alert, mysql, user=snort password=snort dbname=snort host=localhost Bammkkkk On Tue, Jun 03, 2003 at 03:42:48PM +0200, Hans Steinraht wrote:-- Hi, i'm just started playing with snort (version 2.0.0-3.1) on Linux Debian. When I add some rules like these in local.rules: #alert ip any any -> any any (msg:"Got an IP packet";) #alert tcp any any -> any any (msg:"Got an TCP packet";) #alert udp any any -> any any (msg:"Got an UDP packet";) #alert icmp any any -> any any (msg:"Got an ICMP packet";) all kind of data is inserted in mysql. When I remove the rules and do a scan to the firewall computer in our network I see entrys like "[**] [117:1:1] (spp_portscan2) Portscan detected ....." in my alert.log and in the portscan2.log, but nothing goes to mysql. The snort.conf file I have looks like this: output database: log, mysql, user=snort password=snort
dbname=snort
host=localhost preprocessor portscan2: scanners_max 256, targets_max 1024,
target_limit 5,
port_limit 20, timeout 60, log portscan2.log When I remove the option log from preprocessor portscan2 its going to log to scan.log, but still not to mysql. Does anyone has some advice for me on this. thanks, Hans
-- _________________________ Hans Steinraht Openlot Wibautstraat 3 1091 GH Amsterdam The Netherlands hsteinraht () openlot com Phone: +3120 596 1840 Fax: +3120 596 3162 www.openlot.com _________________________ ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort will not log to mysql Hans Steinraht (Jun 03)
- Re: snort will not log to mysql Edin Dizdarevic (Jun 03)
- Re: snort will not log to mysql Hans Steinraht (Jun 04)
- Re: snort will not log to mysql Bamm Visscher (Jun 04)
- Re: snort will not log to mysql Hans Steinraht (Jun 05)
- <Possible follow-ups>
- Re: snort will not log to mysql Ron Shuck (Jun 05)
- Re: snort will not log to mysql Edin Dizdarevic (Jun 03)