Snort mailing list archives
Re: What causes snort rules to insert into mysql.
From: John Gay <john.gay () sourcefire com>
Date: Mon, 8 Jun 2009 16:54:07 -0400
You need to tell snort to use the database. What is in your snort.conf and
what is the command you are using to start it with?
John
On Jun 8, 2009 4:50 PM, "Richard Buskirk" <rbuskirk () planettele com> wrote:
If I have a rule that is like this.
Alert tcp $HOME_NET any -> !HOME_NET 21 (msg:” TCP ftp-data File
Transfer”;sid:1010;)
I just made up the sid. I am still not understanding how this works I guess.
It logs this all day long in the /var/log/snort/alert file.
Is there something special I have to do to it to make it log into the mysql
database?
Do I have to be careful on the sid numbers I assign to rules?
mysqld (pid 3086) is running...
I can login with the snort user
mysql -u snorter -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.0.45 Source distribution
mysql>
I have full access to the tables required.
mysql> SELECT * FROM snort.detail;
+-------------+-------------+
| detail_type | detail_text |
+-------------+-------------+
| 0 | fast |
| 1 | full |
+-------------+-------------+
2 rows in set (0.00 sec)
mysql>
mysql> INSERT INTO snort.data (sid,cid,data_payload) VALUES
('1','1','test');
Query OK, 1 row affected (0.00 sec)
But none of the rules are inserting into mysql.
Snort is configured –with-mysql.
HELP lol…..
------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- What causes snort rules to insert into mysql. Richard Buskirk (Jun 08)
- Message not available
- Re: What causes snort rules to insert into mysql. John Gay (Jun 08)
- Re: What causes snort rules to insert into mysql. Richard Buskirk (Jun 08)
- Re: What causes snort rules to insert into mysql. Joel Esler (Jun 08)
- Re: What causes snort rules to insert into mysql. John Gay (Jun 08)
- Message not available