RE: Snort Stops Sending Alerts to MySQL

["Michael Steele" <michaels () silicondefense com>]

Ian,

Is this ONLY happening on the remote sensors?

There is a Windows binary available for 1.9.0, but there is a new 1.9.1
version of Snort being released in the couple of days, and that release
will be available on our website. The release version of Snort 1.9.0 had
some problems which has been fixed in Snort 1.9.1. 

-Michael
-- 
 Michael Steele | System Engineer / Support Technician     
 mailto:michaels () silicondefense com    
 Silicon Defense: IDS solutions - http://www.silicondefense.com
 Snort: Open Source Network IDS - http://www.snort.org


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Parker,
Ian
Sent: Friday, November 08, 2002 7:25 AM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] Snort Stops Sending Alerts to MySQL

I have Snort V1.8.7 sensors running on three Windows XP SP1 machines,
each
sending alerts to a central ACID console. Periodically, one or more
sensors
just stops sending alerts. There is nothing in the event logs to
indicate a
problem. Stopping and restarting the Snort service fixes the problem.
Has
anyone else noticed this kind of behaviour? Is there a way to
troubleshoot
this? I would try running V1.9, except that there doesn't seem to be a
Windows binary available yet with MySQL suppport. 

Ian Parker, GCWN

Senior Systems Analyst
Upgrading Plant Computing
Syncrude Canada Ltd

(780)790-4631
parker.ian () syncrude com


-----Original Message-----
From: Parker, Ian [mailto:parker.ian () syncrude com]
Sent: Monday, November 04, 2002 3:25 PM
To: 'Michael Steele'; 'Parker, Ian'
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Logging to Remote Syslog and ACID Console


I am using the Kiwi Syslog daemon on a remote Win2K box and I can send
the
alerts to it using the -s switch. The problem is that use of the -s
switch
overrides my attempts to also send the alerts to a MySQL database that
is
also on the Win2K machine. I understand that a patch was developed to
prevent this override behaviour, at least on Windows systems, but it
doesn't
seem to have made it into the source yet. I couldn't find the patch on
sourceforge.net either.

Ian Parker, GCWN

Senior Systems Analyst
Upgrading Plant Computing
Syncrude Canada Ltd

(780)790-4631
parker.ian () syncrude com


-----Original Message-----
From: Michael Steele [mailto:michaels () silicondefense com]
Sent: Monday, November 04, 2002 3:02 PM
To: 'Parker, Ian'
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Logging to Remote Syslog and ACID Console


Ian,

You will need to use a program like Kiwi Syslog Server, if you want to
shove your logs to a remote syslog server.

This may have been fixed on a CVS version of Short, not real sure.

Some help here guys, Chris? Is this available in the 1.9.x release or in
the latest CVS version of 1.9.x? I believe the -s option failed on
Windows.

-Michael
-- 
 Michael Steele | System Engineer / Support Technician     
 mailto:michaels () silicondefense com    
 Silicon Defense: IDS solutions - http://www.silicondefense.com
 Snort: Open Source Network IDS - http://www.snort.org


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Parker,
Ian
Sent: Monday, November 04, 2002 9:46 AM
To: 'twig les'; Parker, Ian; 'snort-users () lists sourceforge net'
Subject: RE: [Snort-users] Logging to Remote Syslog and ACID Console

Sorry, I should have pointed out that this is a Windows box, so I don't
have
a syslog.conf file. If I create one, will Snort look for it? If so,
where
should it be located?

Ian Parker, GCWN

Senior Systems Analyst
Upgrading Plant Computing
Syncrude Canada Ltd

(780)790-4631
parker.ian () syncrude com


-----Original Message-----
From: twig les [mailto:twigles () yahoo com]
Sent: Monday, November 04, 2002 10:30 AM
To: Parker, Ian; 'snort-users () lists sourceforge net'
Subject: Re: [Snort-users] Logging to Remote Syslog and ACID Console


You don't specify the remote syslog server in the
snort.conf file or in the command line.  Lose the -s,
use snort.conf to tell snort to syslog the stuff, then
edit /etc/syslog.conf to use the correct server.


--- "Parker, Ian" <parker.ian () syncrude com> wrote:
> Is it possible to send alerts to both a remote
> Syslog server and a remote
> ACID console? I can do one or the other, but if I
> specify the -s switch in
> the command line, it overrides the output plug-in
> for MySQL in the config
> file. The config file does not seem to allow you to
> specify a remote Syslog
> server. I suppose I could set up a local Syslog
> server and have it forward
> stuff to the remote daemon but I'd like to avoid
> that complication if
> possible.
>
> Ian Parker, GCWN
>
> Senior Systems Analyst
> Upgrading Plant Computing
> Syncrude Canada Ltd
>
> (780)790-4631
> parker.ian () syncrude com
-------------------------------------------------------
> This SF.net email is sponsored by: ApacheCon,
> November 18-21 in
> Las Vegas (supported by COMDEX), the only Apache
> event to be
> fully supported by the ASF. http://www.apachecon.com
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or
> unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
Heavy metal made me do it.                        
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
HotJobs - Search new jobs daily now
http://hotjobs.yahoo.com/


-------------------------------------------------------
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by: See the NEW Palm 
Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
This sf.net email is sponsored by: See the NEW Palm 
Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users