Re: Snort 1.9 alert log problem

[Bennett Todd <bet () rahul net>]

2002-12-05-09:21:05 Schuler, Jeff:
> [...] The boxes log to a MySQL DB and to the local disk.  I then
> noticed that my alert file on each box was 1.4GB in size.  One
> of these boxes registers a few hundred hits a day, the other one
> maybe 3 hits per day, [...]

Is there any chance that (a) you're logging with MySQL off-machine,
and (b) the packets that are being logged to MySQL contain a string
that's re-triggering an alert, causing a loop?

If so, fixes would include (a) tightening the signature for the
looping alert so it won't match on the MySQL logging packet (if you
do this, do please submit the fix back, perhaps by emailing it to
the snort-sigs list); (b) disabling the sid that's looping (just
# it out in the rules file); (c) using a BPF rule to blind snort
to the outbound MySQL traffic; (d) moving the MySQL to the local
machine; and (e) tunneling the MySQL traffic through some encrypting
pipe like e.g. stunnel (for SSL) or ssh with port forwarding.

-Bennett

Attachment: _bin
Description: