Re: All alerts not getting logged to MySQL??

[Goldmoon <summer_beha () yahoo com>]

Hi,

Is this the snort.conf in /usr/local/etc? Also, in
that database section, there are 4 entries of "output
database" should all of these by changed to match the
lines below?

Thanks!
--- WTWork <securitygauntlet () snet net> wrote:
> Try changing this entry in RED
>
> output database: alert, mysql, dbname=snort
> user=snort password=snort 
> host=192.168
> .xxx.xx sensor_name=s-1 port=3306 detail=full
>
>
> At 10:06 AM 9/12/2002 -0500, Alan Kloster wrote:
> > Hello,
> >
> > Here are some details:
> >
> > Snort started with the following command line:
> >
> > /usr/local/bin/snort -o -i eth1 -d -D -c
> /usr/local/snort/snort.conf
> > Database output plug in conf:
> >
> > output database: log, mysql, dbname=snort
> user=snort password=snort 
> > host=192.168
> > .xxx.xx sensor_name=s-1 port=3306 detail=full
> >
> > Snort version is 1.8.7 on Redhat Linux -> MySQL,
> Acid on WIN2K with IIS
> > Okay here's the rub:
> >
> > If I tail the /var/log/snort/alert and watch the
> alerts scroll across I 
> > see a bunch of
> > FTP Exploit CWD Overflow alerts almost constantly. 
> When I go back and look at
> > the database using ACID, I only see the first alert
> of this type since I 
> > restarted Snort,
> > but a wc-l on /var/log/snort/alert shows 642
> instances of the alert.  What 
> > gives?  All of the
> > other alert types appear in the database as they
> are added to 
> > /var/log/snort/alert.
> >
> > Strange part #2 - I have another box set up with
> the same configuration, 
> > but it doesn't have this
> > problem.  I have compared the two snort.conf and
> snortd files and they 
> > appear to be the same.
> >
> > Tried to set output database: alert.  That works
> and sends all of the 
> > alerts to the database, but
> > nothing gets logged to /var/log/snort/alert anymore
> which is something I 
> > want to see.  I also begin to
> > see all of the portscans as well in the database,
> which I really don't 
> > want to see.  Any help to solve
> > this mystery would be appreciated.
> >
> > Also if anyone has a chart of what options cause
> what to happen when they 
> > are selected, it would
> > be helpful as I find the FAQ and other resources on
> the web to be very 
> > vague on what actually gets
> > logged when alert or log is selected.  Thanks for
> your help.  You guys are 
> > great and it's a great product!
>
> -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or
> unsubscribe:
>
> https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list


__________________________________________________
Do you Yahoo!?
Yahoo! News - Today's headlines
http://news.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users