Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Exhausted - SNORT not logging to MySQL database

From: "Michael Steele" <michaels () winsnort com>
Date: Sat, 20 Mar 2004 17:34:27 -0800
Is Snort even running? Have you checked the error logs? Snort will fail if
it can't log into the MySQL database. Have you tried to run Snort in pack
sniffing mode? Have you tried to manually run the Snort run line?

Are you on a switch? If so you MUST be able to mirror. Try using a hub.

There should be some errors showing up somewhere.

Kindest regards, 

The WINSNORT.com Management Team
-- 
Pick up your FREE Windows or UNIX Snort installation guides       
mailto:support () winsnort com
Website: http://www.winsnort.com
Snort: Open Source Network IDS - http://www.snort.org




-----Original Message-----
From: snort-users-admin () lists sourceforge net [mailto:snort-users-
admin () lists sourceforge net] On Behalf Of Your Name
Sent: Saturday, March 20, 2004 11:03 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Exhausted - SNORT not logging to MySQL database

After 2 days of searching mailing lists/FAQs/google I am at a loss as to
why SNORT will not log to MySQL database and alert file remains at 0
bytes.  I tried twice to set SNORT up on a fresh RedHat 9.0 install with
all RHN updates per Patrick Harper's install guide (2/14/2004).  The
only variation; I used SNORT 2.1.1

I have installed SNORT on Fedora Core without a problem and would still
use Fedora, except it won't compile libdnet-1.7 (for other stuff)...grrr.

-- I can log into MySQL using the user "snort" without any problems,
checking the event table returns:
 count(*)
  0

Also double checked INSERT, SELECT, DELETE, etc permissions

-- Network traffic is visable to eth0 using -v, including when NMAP'ing
from another box on the network

-- No abdnormal entries in .err or message file
040320 10:08:50  mysqld started
040320 10:08:56  InnoDB: Started
/usr/local/mysql/libexec/mysqld: ready for connections.
Version: '4.0.17-log'  socket: '/tmp/mysql.sock'  port: 3306


Puzzled beyond belief :)  I'm probably missing the obvious, hopefully
someone could point out what might be causing this.

Much thanks!

Rush

***additional info***


Linux localhost 2.4.20-30.9

***ifconfig***
eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          inet addr:192.168.1.20  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:34465 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4200 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:2391900 (2.2 Mb)  TX bytes:327793 (320.1 Kb)
          Interrupt:9 Base address:0x6000


***Server initialization***

[root@localhost root]# /usr/local/bin/snort -de -i eth0 -c
/etc/snort/snort.conf -l /var/log/snort
Running in IDS mode
Log directory = /var/log/snort

Initializing Network Interface eth0

        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf

<snipped>

database: compiled support for ( mysql )
database: configured to use mysql
database:          user = snort
database: password is set
database: database name = snort
database:          host = localhost
database:   sensor name = 192.168.1.20
database:     sensor id = 1
database: schema version = 106
database: using the "alert" facility
1615 Snort rules read...
1615 Option Chains linked into 166 Chain Headers
0 Dynamic rules


***snort.conf***
Default file except
var HOME_NET 192.168.1.1
output alert_syslog: LOG_AUTH LOG_ALERT
output database: alert, mysql, user=snort password=xxxxx dbname=snort
host=localhost port=3306 detail=full

***grep stuff***
[root@localhost root]# ps -ef |grep snort
root      2176  1978  0 10:56 pts/0    00:00:01 /usr/local/bin/snort -i
eth0 -c
/etc/snort/snort.conf -l /var/log/snort
root      2191  2074  0 11:16 pts/1    00:00:00 grep snort
[root@localhost root]# ps -ef |grep mysql
root      1670     1  0 10:08 ?        00:00:00 /bin/sh
/usr/local/mysql/bin/mysqld_safe --datadir=/usr/local/mysql/var
--pid-file=/usr/local/mysql/var/localhost.pid
mysql     1718  1670  0 10:08 ?        00:00:00
/usr/local/mysql/libexec/mysqld
--basedir=/usr/local/mysql --datadir=/usr/local/mysql/var --user=mysql
--pid-file=/usr/local/mysql/var/localhost.pid --skip-locking --port=3306
--socket=/tmp/mysql.sock
root      2193  2074  0 11:17 pts/1    00:00:00 grep mysql


--



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: