Snort mailing list archives
RE: Exhausted - SNORT not logging to MySQL database
From: "Mark E. Donaldson" <markee () bandwidthco com>
Date: Sat, 20 Mar 2004 20:17:20 -0800
If your not logging to the alert file as well as MYSQL, then your problem is probably with snort and not MYSQL. Before you start snort, run a tail -f /var/log/messages and see if snort is actually starting and functioning properly. Start there and we'll see what else. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Your Name Sent: Saturday, March 20, 2004 11:03 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Exhausted - SNORT not logging to MySQL database After 2 days of searching mailing lists/FAQs/google I am at a loss as to why SNORT will not log to MySQL database and alert file remains at 0 bytes. I tried twice to set SNORT up on a fresh RedHat 9.0 install with all RHN updates per Patrick Harper's install guide (2/14/2004). The only variation; I used SNORT 2.1.1 I have installed SNORT on Fedora Core without a problem and would still use Fedora, except it won't compile libdnet-1.7 (for other stuff)...grrr. -- I can log into MySQL using the user "snort" without any problems, checking the event table returns: count(*) 0 Also double checked INSERT, SELECT, DELETE, etc permissions -- Network traffic is visable to eth0 using -v, including when NMAP'ing from another box on the network -- No abdnormal entries in .err or message file 040320 10:08:50 mysqld started 040320 10:08:56 InnoDB: Started /usr/local/mysql/libexec/mysqld: ready for connections. Version: '4.0.17-log' socket: '/tmp/mysql.sock' port: 3306 Puzzled beyond belief :) I'm probably missing the obvious, hopefully someone could point out what might be causing this. Much thanks! Rush ***additional info*** Linux localhost 2.4.20-30.9 ***ifconfig*** eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx inet addr:192.168.1.20 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:34465 errors:0 dropped:0 overruns:0 frame:0 TX packets:4200 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:2391900 (2.2 Mb) TX bytes:327793 (320.1 Kb) Interrupt:9 Base address:0x6000 ***Server initialization*** [root@localhost root]# /usr/local/bin/snort -de -i eth0 -c /etc/snort/snort.conf -l /var/log/snort Running in IDS mode Log directory = /var/log/snort Initializing Network Interface eth0 --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth0 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/snort.conf <snipped> database: compiled support for ( mysql ) database: configured to use mysql database: user = snort database: password is set database: database name = snort database: host = localhost database: sensor name = 192.168.1.20 database: sensor id = 1 database: schema version = 106 database: using the "alert" facility 1615 Snort rules read... 1615 Option Chains linked into 166 Chain Headers 0 Dynamic rules ***snort.conf*** Default file except var HOME_NET 192.168.1.1 output alert_syslog: LOG_AUTH LOG_ALERT output database: alert, mysql, user=snort password=xxxxx dbname=snort host=localhost port=3306 detail=full ***grep stuff*** [root@localhost root]# ps -ef |grep snort root 2176 1978 0 10:56 pts/0 00:00:01 /usr/local/bin/snort -i eth0 -c /etc/snort/snort.conf -l /var/log/snort root 2191 2074 0 11:16 pts/1 00:00:00 grep snort [root@localhost root]# ps -ef |grep mysql root 1670 1 0 10:08 ? 00:00:00 /bin/sh /usr/local/mysql/bin/mysqld_safe --datadir=/usr/local/mysql/var --pid-file=/usr/local/mysql/var/localhost.pid mysql 1718 1670 0 10:08 ? 00:00:00 /usr/local/mysql/libexec/mysqld --basedir=/usr/local/mysql --datadir=/usr/local/mysql/var --user=mysql --pid-file=/usr/local/mysql/var/localhost.pid --skip-locking --port=3306 --socket=/tmp/mysql.sock root 2193 2074 0 11:17 pts/1 00:00:00 grep mysql -- ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Promiscuous Mode, (continued)
- Re: Promiscuous Mode Paul Schmehl (Mar 20)
- RE: Promiscuous Mode pfeito (Mar 21)
- RE: Promiscuous Mode Paul Schmehl (Mar 21)
- HOME_NET var on snort.conf pfeito (Mar 21)
- Re: HOME_NET var on snort.conf Paul Schmehl (Mar 21)
- Re: HOME_NET var on snort.conf neil (Mar 22)
- RE: HOME_NET var on snort.conf pfeito (Mar 22)
- RE: HOME_NET var on snort.conf pfeito (Mar 22)
- RE: HOME_NET var on snort.conf Michael Boman (Mar 22)
- RE: HOME_NET var on snort.conf pfeito (Mar 25)