Snort mailing list archives

Exhausted - SNORT not logging to MySQL database

From: "Your Name" <rush () bythedrop com>
Date: Sat, 20 Mar 2004 19:02:53 +0000

After 2 days of searching mailing lists/FAQs/google I am at a loss as to
why SNORT will not log to MySQL database and alert file remains at 0
bytes.  I tried twice to set SNORT up on a fresh RedHat 9.0 install with
all RHN updates per Patrick Harper's install guide (2/14/2004).  The
only variation; I used SNORT 2.1.1

I have installed SNORT on Fedora Core without a problem and would still
use Fedora, except it won't compile libdnet-1.7 (for other stuff)...grrr.

-- I can log into MySQL using the user "snort" without any problems,
checking the event table returns:
 count(*)
  0

Also double checked INSERT, SELECT, DELETE, etc permissions

-- Network traffic is visable to eth0 using -v, including when NMAP'ing
from another box on the network

-- No abdnormal entries in .err or message file
040320 10:08:50  mysqld started
040320 10:08:56  InnoDB: Started
/usr/local/mysql/libexec/mysqld: ready for connections.
Version: '4.0.17-log'  socket: '/tmp/mysql.sock'  port: 3306


Puzzled beyond belief :)  I'm probably missing the obvious, hopefully
someone could point out what might be causing this.

Much thanks!

Rush

***additional info***


Linux localhost 2.4.20-30.9 

***ifconfig***
eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          inet addr:192.168.1.20  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:34465 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4200 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:2391900 (2.2 Mb)  TX bytes:327793 (320.1 Kb)
          Interrupt:9 Base address:0x6000


***Server initialization***

[root@localhost root]# /usr/local/bin/snort -de -i eth0 -c
/etc/snort/snort.conf -l /var/log/snort
Running in IDS mode
Log directory = /var/log/snort
 
Initializing Network Interface eth0
 
        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf
 
<snipped>

database: compiled support for ( mysql )
database: configured to use mysql
database:          user = snort
database: password is set
database: database name = snort
database:          host = localhost
database:   sensor name = 192.168.1.20
database:     sensor id = 1
database: schema version = 106
database: using the "alert" facility
1615 Snort rules read...
1615 Option Chains linked into 166 Chain Headers
0 Dynamic rules


***snort.conf***
Default file except
var HOME_NET 192.168.1.1
output alert_syslog: LOG_AUTH LOG_ALERT
output database: alert, mysql, user=snort password=xxxxx dbname=snort
host=localhost port=3306 detail=full

***grep stuff***
[root@localhost root]# ps -ef |grep snort
root      2176  1978  0 10:56 pts/0    00:00:01 /usr/local/bin/snort -i
eth0 -c
/etc/snort/snort.conf -l /var/log/snort
root      2191  2074  0 11:16 pts/1    00:00:00 grep snort
[root@localhost root]# ps -ef |grep mysql
root      1670     1  0 10:08 ?        00:00:00 /bin/sh
/usr/local/mysql/bin/mysqld_safe --datadir=/usr/local/mysql/var
--pid-file=/usr/local/mysql/var/localhost.pid
mysql     1718  1670  0 10:08 ?        00:00:00
/usr/local/mysql/libexec/mysqld
--basedir=/usr/local/mysql --datadir=/usr/local/mysql/var --user=mysql
--pid-file=/usr/local/mysql/var/localhost.pid --skip-locking --port=3306
--socket=/tmp/mysql.sock
root      2193  2074  0 11:17 pts/1    00:00:00 grep mysql


-- 



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Exhausted - SNORT not logging to MySQL database Your Name (Mar 20)
- Re: Exhausted - SNORT not logging to MySQL database Paul Schmehl (Mar 20)
- RE: Exhausted - SNORT not logging to MySQL database Michael Steele (Mar 20)
  - Promiscuous Mode pfeito (Mar 20)
    - Re: Promiscuous Mode Paul Schmehl (Mar 20)
    - RE: Promiscuous Mode pfeito (Mar 21)
    - RE: Promiscuous Mode Paul Schmehl (Mar 21)
    - HOME_NET var on snort.conf pfeito (Mar 21)
    - Re: HOME_NET var on snort.conf Paul Schmehl (Mar 21)
    - Re: HOME_NET var on snort.conf neil (Mar 22)
    - RE: HOME_NET var on snort.conf pfeito (Mar 22)

(Thread continues...)