Interesting snort + mysql issue (kind of ODD)

["James Lay" <jlay () ameriben com>]

Hey All!

So I originally had my BASE and snort mysql db on the same box...all went
well.  I decided to move the mysql install and db to a Mac OSX machine.  I
"thought" all went well.  Here's the issue I'm having:

My rc.snort script (running on slackware 10.1) has:

/usr/local/bin/snort -i eth1 -D -o -c /etc/snort/snort.conf "ip and not udp
port 4500"

as the startup line.  If this is run manually things go fine...snort starts
and logs to mysql.  Here is an update script that I use to grab bleeding
rules:

#!/bin/bash
cd /home/jlay/
wget http://www.bleedingsnort.com/bleeding.rules.tar.gz
tar zxvf bleeding.rules.tar.gz
cp -v rules/bleeding*.rules /etc/snort/rules/
cat /etc/snort/sid-msg.map.orig /home/jlay/rules/bleeding-sid-msg.map
/etc/snort/sid-msg.map.gateway | sort -u > /etc/snort/sid-msg.map
/etc/rc.d/rc.snort stop
/etc/rc.d/rc.snort start
rm /home/jlay/bleeding.rules.tar.gz

This daily job is run as root at 4:20 AM.  When this is run, snort starts
and connects to the mysql db, but it doesn't log anything.  CAN I GET A WHAT
THE HECK OVER.  Does anyone have a clue on why this would be like this?  The
user the db uses is snort with all permissions.  ODD.  Thanks all!

James Lay
Network Manager/Security Officer
AmeriBen Solutions/IEC Group
Deo Gloria!!!




-------------------------------------------------------
SF.Net email is sponsored by: Tell us your software development plans!
Take this survey and enter to win a one-year sub to SourceForge.net
Plus IDC's 2005 look-ahead and a copy of this survey
Click here to start!  http://www.idcswdc.com/cgi-bin/survey?id=105hix
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users