Snort mailing list archives
All alerts not getting logged to MySQL??
From: "Alan Kloster" <akloster () SPP ORG>
Date: Thu, 12 Sep 2002 10:06:31 -0500
Hello, Here are some details: Snort started with the following command line: /usr/local/bin/snort -o -i eth1 -d -D -c /usr/local/snort/snort.conf Database output plug in conf: output database: log, mysql, dbname=snort user=snort password=snort host=192.168 .xxx.xx sensor_name=s-1 port=3306 detail=full Snort version is 1.8.7 on Redhat Linux -> MySQL, Acid on WIN2K with IIS Okay here's the rub: If I tail the /var/log/snort/alert and watch the alerts scroll across I see a bunch of FTP Exploit CWD Overflow alerts almost constantly. When I go back and look at the database using ACID, I only see the first alert of this type since I restarted Snort, but a wc-l on /var/log/snort/alert shows 642 instances of the alert. What gives? All of the other alert types appear in the database as they are added to /var/log/snort/alert. Strange part #2 - I have another box set up with the same configuration, but it doesn't have this problem. I have compared the two snort.conf and snortd files and they appear to be the same. Tried to set output database: alert. That works and sends all of the alerts to the database, but nothing gets logged to /var/log/snort/alert anymore which is something I want to see. I also begin to see all of the portscans as well in the database, which I really don't want to see. Any help to solve this mystery would be appreciated. Also if anyone has a chart of what options cause what to happen when they are selected, it would be helpful as I find the FAQ and other resources on the web to be very vague on what actually gets logged when alert or log is selected. Thanks for your help. You guys are great and it's a great product! ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- All alerts not getting logged to MySQL?? Alan Kloster (Sep 15)
- Re: All alerts not getting logged to MySQL?? WTWork (Sep 15)
- Re: All alerts not getting logged to MySQL?? Goldmoon (Sep 16)
- Re: All alerts not getting logged to MySQL?? Goldmoon (Sep 16)
- Re: All alerts not getting logged to MySQL?? WTWork (Sep 15)