Snort mailing list archives
Re: output module bug in 2.4.3-RC3
From: Michael W Cocke <cocke () catherders com>
Date: Mon, 23 Jan 2006 17:56:10 -0500
<sigh> What I forgot to write was that I'm currently running snort_inline _AND_ snort, exactly like this - snort_inline -c /etc/snort/snort.conf -Q snort -c /etc/snort/snort.conf If I drop the -Q from the snort command line (or the snort_inline command line), database writes work fine. What I have no confidence in and no way to test is if anything is actually being done with the packets in the queue. Database connectivity is working fine - as long as I don't try to use the QUEUE facility in either snort or snort_inline. Mike- On Mon, 23 Jan 2006 17:14:14 -0500, you wrote:
First, verify connectivity to the db host using the mysql client on the sensor? should be something along the lines of: # mysql -p Enter password: xxx Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 28 to server version: x.x.x Did you configure the db for logging use in snort.conf? The line should look something like: output database: log, mysql, user=<user> password=<passsword> dbname=<db name> host=<host> If so, did you create the tables in the db for snort to use to log the alerts using ./snort-2.4.3/schemas/create_mysql? If so, did you give the proper grants to the tables for insert/update/delete, where appropriate, to the user defined in the snort.conf file? Axton Grams On 1/23/06, Michael W Cocke <cocke () catherders com> wrote:I was absolutely certain that it was something that I did wrong, so I went back to the beginning, reinstalled all the requires, compiled snort from scratch, turned on every log file I could find, and built a rule to log every occurence of GET on port 80. I've tried both snort and snort-inline compiled with --enable-inline and --with-mysql. Running with this command line snort -Q -c /etc/snort/snort.conf -v (replace snort with snort_inline as you wish). I get lots of screen activity from the -v, but snort doesn't write anything to a mysql database. Neither does snort_inline 2.4.3-RC3, compiled with the same options. If anyone has a suggestion or would like me to try something, email me. Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments, ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments, ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- output module bug in 2.4.3-RC3 Michael W Cocke (Jan 23)
- Message not available
- Re: output module bug in 2.4.3-RC3 Michael W Cocke (Jan 23)
- Message not available
- Re: output module bug in 2.4.3-RC3 Michael W Cocke (Jan 23)
- Message not available
- Re: output module bug in 2.4.3-RC3 Michael W Cocke (Jan 23)
- Message not available
- Re: output module bug in 2.4.3-RC3 Michael W Cocke (Jan 23)
- Re: output module bug in 2.4.3-RC3 Will Metcalf (Jan 23)
- Re: output module bug in 2.4.3-RC3 Michael W Cocke (Jan 24)
- Re: output module bug in 2.4.3-RC3 Michael W Cocke (Jan 23)
- Message not available