RE: Snort+database HOWTO???

[Peter Bates <Peter.Bates () lshtm ac uk>]

Hello again all...

User error, I suspect, caused my problems...

I fiddled with so many things that I don't really
know what I changed!

First of all postgres(postmaster) wasn't starting
with the -i option, and so was only opening a
Unix domain socket... I presume, following that,
that the snort db plugin explicitly uses TCP/IP sockets.

I also might have had ipchains/iptables on the box filtering
out the accesses (but that seems unlikely), but the real
show-stopper was my strange combination of logging
and command-line switches...

For historical reasons, I've been logging to syslog (to watch,
and to use snort-stat), to /var/log/snort (to contribute to
the securityfocus ARIS project), and I was now trying to
have a quick look at ACID to then remove one of the other logging forms...

I was starting snort with:

snort -u snort -g snort -de -D -o -i ethx -N -l /var/log/snort -c /etc/snort.conf

and the -N was making the merry thing segfault.

Then in snort.conf I had:

output alert_syslog: LOG_AUTH LOG_ALERT
output alert_full: alert
output database: log, postgresql, etc. etc. .etc


A case of 'too many command-line options and outputs spoil the snort'.





-------------------------------------------------------------------------------------------------------------------->
Peter Bates, Systems Support Officer, Network Support Team.
London School of Hygiene & Tropical Medicine.
Telephone:0207-927 2124 / Fax: 0207-436 5389 / Pager: 07625 255362


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users