Snort mailing list archives
Re: Snort Mysql Acid Combo
From: "M. Morgan" <mikemorgan () mindspring com>
Date: Wed, 4 Feb 2004 09:43:10 -0500 (GMT-05:00)
Sam, In addition to what Mark has stated I'll throw in my two cents as well. It sounds to me like your output plugin for snort isnt configured to point to the right table in the mysql database. The output plugin should be something like this: output database: alert, mysql, user=snort password=<password> dbname=snort host=localhost port=3306 sensor_name=[AUTO] Be sure that the database has permissions assigned to user "snort" to allow access. Even if snort is sending data to the database, if the permissions arent there MySql will simply ignore it. btw: are you using that machine solely as an IDS box? or as a desktop too? /michael -----Original Message----- From: Sam Osuala <sam.osuala () logiciel-inc com> Sent: Feb 4, 2004 8:28 AM To: Mark Fagan <r00t () online ie> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort Mysql Acid Combo Dear Mark, /var/log/snort is not populated. There is also a success message from /etc/init.d/snort restart in /var/log/messages. The lat lines reads Feb 4 14:18:02 sniffer snort: Snort initialization complete successfully. The entry sensor_name=mysensor,......what will I use if I installed everything on one Linux box. Thanks Sam ----- Original Message ----- From: "Mark Fagan" <r00t () online ie> To: "Sam Osuala" <sam.osuala () logiciel-inc com> Cc: <snort-users () lists sourceforge net> Sent: Wednesday, February 04, 2004 12:47 PM Subject: Re: [Snort-users] Snort Mysql Acid Combo Is /var/log/snort populated with logs ? If so you probable dont have the correct entry in your snort.conf: It should be along the lines of: output database: log, mysql, sensor_name=mysensor user=snortuser password=snortpassword dbname=snort host=dbhost Also in the event you have a DB authentication issue open two ssh sessions, one tailing the /var/log/messages file: tail -f /var/log/messages And one restarting snort: /etc/init.d/snort restart If you get a success message you probably dont have the correct output database statement. Hope this helps. Mark Quoting Sam Osuala <sam.osuala () logiciel-inc com>:
I have installed a box with the following; 1] Redhat Linux 9.2 2] Snort 2.0.6 3] Mysql 4.0.17 4] Acid 0.9.6 5] php 4.3.4 6] zlib-1.1.4 7] libpcap-0.7.2 8] Apache 2.0.48 (not the one that came with the Linux ) 9] jgraph 1.14 10] adodb 405 These are all installed in the Linux box above. The issue is that the
mysql
is not getting any logs in the database. If I start my snort with "snort -dvC" I get the alerts on the screen. What could be the problem. Do I have
to
keep the components in different machines? Thanks Sam
------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Mysql Acid Combo Sam Osuala (Feb 04)
- Re: Snort Mysql Acid Combo Martin Olsson (Feb 04)
- Re: Snort Mysql Acid Combo Sam Osuala (Feb 04)
- Re: Snort Mysql Acid Combo Martin Olsson (Feb 04)
- Re: Snort Mysql Acid Combo Sam Osuala (Feb 04)
- Re: Snort Mysql Acid Combo Josh Berry (Feb 04)
- Re: Snort Mysql Acid Combo Sam Osuala (Feb 04)
- Re: Snort Mysql Acid Combo Martin Olsson (Feb 04)
- Re: Snort Mysql Acid Combo Sam Osuala (Feb 04)
- <Possible follow-ups>
- Re: Snort Mysql Acid Combo M. Morgan (Feb 04)