Snort mailing list archives
Re: What causes snort rules to insert into mysql.
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 8 Jun 2009 17:58:30 -0400
Did you compile with mysql support into Snort? Settings aside the fact that you really should be outputting in unified format then using barnyard to read the unified data and insert into the db, you should probably look in /var/log/messages or similar system file. J On Mon, Jun 8, 2009 at 5:06 PM, Richard Buskirk <rbuskirk () planettele com>wrote:
output database: log, mysql, user=snorter password=***** dbname=snort host=localhost I shadowed out the password for my own safety. Is that how I am supposed to do it. If that errors where will I see the errors because I have looked at every log file I can find and no connection errors. *From:* John Gay [mailto:john.gay () sourcefire com] *Sent:* Monday, June 08, 2009 4:54 PM *To:* Richard Buskirk *Cc:* snort-users () lists sourceforge net *Subject:* Re: [Snort-users] What causes snort rules to insert into mysql. You need to tell snort to use the database. What is in your snort.conf and what is the command you are using to start it with? John On Jun 8, 2009 4:50 PM, "Richard Buskirk" <rbuskirk () planettele com> wrote: If I have a rule that is like this. Alert tcp $HOME_NET any -> !HOME_NET 21 (msg:” TCP ftp-data File Transfer”;sid:1010;) I just made up the sid. I am still not understanding how this works I guess. It logs this all day long in the /var/log/snort/alert file. Is there something special I have to do to it to make it log into the mysql database? Do I have to be careful on the sid numbers I assign to rules? mysqld (pid 3086) is running... I can login with the snort user mysql -u snorter -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 2 Server version: 5.0.45 Source distribution mysql> I have full access to the tables required. mysql> SELECT * FROM snort.detail; +-------------+-------------+ | detail_type | detail_text | +-------------+-------------+ | 0 | fast | | 1 | full | +-------------+-------------+ 2 rows in set (0.00 sec) mysql> mysql> INSERT INTO snort.data (sid,cid,data_payload) VALUES ('1','1','test'); Query OK, 1 row affected (0.00 sec) But none of the rules are inserting into mysql. Snort is configured –with-mysql. HELP lol….. ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0d%0aSnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- joel esler | Sourcefire | gtalk: jesler () sourcefire com | 302-223-5974
------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- What causes snort rules to insert into mysql. Richard Buskirk (Jun 08)
- Message not available
- Re: What causes snort rules to insert into mysql. John Gay (Jun 08)
- Re: What causes snort rules to insert into mysql. Richard Buskirk (Jun 08)
- Re: What causes snort rules to insert into mysql. Joel Esler (Jun 08)
- Re: What causes snort rules to insert into mysql. John Gay (Jun 08)
- Message not available