Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: MySql and Snort

From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Sat, 8 Feb 2003 22:28:52 -0500
Sorry... click happy.  See below for message continuation.  

-----Original Message-----
From: L. Christopher Luther 
Sent: Saturday, February 08, 2003 10:28 PM
To: 'Cilin'
Cc: Snort-Users (E-mail)
Subject: RE: MySql and Snort


Cilin, 

First:  Your problem in a nutshell is the '-E' parameter on the Win32
binary.  Using this alert command line directive disables the output plugins
specified in the snort.conf file.  Using any of the other alert command line
'-A fast', '-A full', etc. will also disable the output plugins specified in
snort.conf.  And yes, this is by design.  

Second:  Do *not* use two output database plugins to the same MySQL
database.  If you do, you'll end up with duplicate data.  Check out:
http://www.theadamsfamily.net/~erek/snort/logging_methods.txt  

If you really want Snort alerts sent to the Win32 Event Log, then use the
syslog output plugin.  By default, under Win32 this will send Snort alerts
to the Application Event Log.  

Cheers! 
-- Christopher


-----Original Message-----
Date: Fri, 7 Feb 2003 12:41:40 -0800 (PST)
From: Cilin <cilin5 () yahoo com>
Subject: Re: [Snort-users] MySql and Snort
To: Cilin <cilin5 () yahoo com>
Cc: snort-users () lists sourceforge net

Additional Info

I use:

--Windows 2000 SMP machine but have disabled one of
the processors for the sole purpose of using snort
--Snort 1.9
--Latest versions of PHP, Apache and Acid
--IDScenter 1.09 BETA 2.3 (the latest vers)
--------------------------------------
The snort command line is: (as viewed from IDScenter)

C:\Program Files\Snort\snort.exe -c "C:\Program
Files\Snort\snort.conf" -l "C:\Program
Files\Snort\Log" -E -h www.xxx.yyy.zzz/32 -i 1
--------------------------------------
Output Plugins in snort.conf
1.
output database: log, Mysql,  host=www.xxx.yyy.zzz
port=3306 dbname=snort user=suser password=****
detail=Full
2.
output database: alert, Mysql,  host=www.xxx.yyy.zzz
port=3306 dbname=snort user=suser password=****
detail=Full

*I added the 2nd one after following some suggestion i
saw somewhere(I am not sure if 2 plugins can use the
same database though) Snort wasn't logging into mysql
with the first one by itself either.
--------------------------------------

I also tried this:

-Move all rules to /etc/snort
-Change every single line in snort.conf with "include"
removing path
/rules. The lines should be like this: 
include rpc.rules
- restart snort
I hope it should help you.

It didn't, but thanks for trying to help.
[snip]
Previous By Date Next
Previous By Thread Next

Current thread: