Snort mailing list archives
Random DB names!
From: Paul.Clements () saga co uk
Date: Mon, 21 Mar 2005 16:11:14 +0000
Hello all, I've been using snort happily for the last 3 years or so but now I've run in to a strange problem. Due to a comedy intergen gas release and power down in our Data Centre all 6 of our snort probes and the Management server where stopped abruptly. When I restarted the probes everything seems to be working as normal until we noticed we weren't receiving the volume of alerts that we are used too. On closer inspection (using the -v and -T switches) we noticed that the database that some of the probes where logging to had changed from what had configured them to use from :- database: compiled support for ( mysql ) database: configured to use mysql database: user = s^ort0n3 database: password is set database: database name = snort database: host = XXX.XXX.XXX.XXX database: sensor name = XXXXX.saga.co.uk:eth1 database: sensor id = 1 database: schema version = 106 database: using the "log" facility to find_sucess: 0 find_fail: 3 percent_success: (%0.000000) new_flows: 3 database: Closing connection to database "etected" As you can see when I exit the probe it's reporting that its closing the connection to "etected" (on other probes the database has changed to other name et "ersion") and not "snort" as it's clearly set to log to in the snort.conf!?!?!? if it's trying to connect to the wrong DB why doesn't it refuse to start with a connection error??!? I've tried the following :- Restoring the snort.conf with a backup and a fresh copy - with no joy. Dropping the annval and snort databases and recreating it -with no joy. Reinstalling snort using the latest version - now interestedly this seems to work for a while then the same problem reoccurs! We're running :- Probes : Fedora 3, Mandrake and snort 2.3.1 Management Server : Fedora 3, apache, mysql, aanval and base. Has anyone else had this problem? Kind Regards Paul ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager at postmaster.saga.co.uk. This footnote also confirms that this email message has been swept by Trend for the presence of computer viruses. www.saga.co.uk **********************************************************************
Current thread:
- Random DB names! Paul . Clements (Mar 21)