Snort mailing list archives
Snort not logging to MySQL
From: Adam Shephard <sfnative33 () yahoo com>
Date: Mon, 10 Feb 2003 15:11:48 -0800 (PST)
I'm using ACID and after not having any alerts show up for a while, I decided to look into things. Turns out, nothing is going into MySQL at all. I do have alerts showing up in Snort both in /var/log/snort/alerts and /var/log/snort/xxx.xxx.xxx.xxx I am getting this in /var/log/daemon.log: Feb 9 14:02:48 ******* snort: PID stat checked out ok, PID set to /var/run/ Feb 9 14:02:48 ******* snort: Writing PID file to "/var/run/" Feb 9 14:02:48 ******* snort: Initializing daemon mode Feb 9 14:02:48 ******* snort: PID stat checked out ok, PID set to /var/run/ Feb 9 14:02:48 ******* snort: Writing PID file to "/var/run/" Feb 9 14:02:49 ******* snort: database: must enter database name in configuration file Feb 9 14:02:49 ******* snort: FATAL ERROR: I do have the database name listed in the common.inc file, per instructions. This is happeneing on two separate machines. On one, I copied the config files from an article from SecurityFocus, on the other I re-typed the files by hand. That leads me to believe it's not a typo but it's certainly possible. The boxes are running Debian Woody, mysql 3.23.49.8-2, snort-mysql 1.8.4beta-13 and acidlab 0.9.6b20-2. All of the packages were installed using apt-get from STABLE. Any help would be greatly appreciated. Adam Here are the config files: ----------------- /etc/init.d/snort ----------------- #!/bin/sh # # Script to control SNORT execution under Debian # Written by Vladislav V. Myasnyankin . PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin DAEMON=/usr/sbin/snort PIDFILES=`ls /var/run | grep snort` INTERFACES=`cat /etc/snort/common/interfaces` # Arguements passed to SNORT # # To watch only our system ARGS="-o -p -X -u snort -g snort -D" # # Check if we need to watch all packets in the segment if [ -e /etc/snort/common/promisc ] then ARGS="-o -X -u snort -g snort -D" fi test -x $DAEMON || exit 0 case "$1" in start) echo -n "Starting Network Intrusion Detection System: snort" for IFACE in $INTERFACES; do PIDFILE=/var/run/snort_$IFACE.pid CONFIG=/etc/snort/snort.conf.$IFACE echo $IFACE echo $CONFIG echo $PIDFILE /sbin/ifconfig | grep $IFACE > /dev/null if [ $? -ne 0 ] then /sbin/ifconfig $IFACE up fi /sbin/start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- -i $IFACE $ case "$?" in 0) echo "." ;; 1) echo "...already running." ;; 2) echo "..failed.";; esac done ;; stop) echo -n "Stopping Network Intrusion Detection System: snort" for PIDFILE in $PIDFILES; do echo echo $PIDFILE echo /sbin/start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/$PIDFI$ echo "." rm -f /var/run/$PIDFILE done ps cax | grep '/usr/sbin/snort' | awk '{ print $1 }' | xargs --no-run-$ ;; restart|force-restart|reload|force-reload) /etc/init.d/snort stop # stop will take care that the thing is really dead /etc/init.d/snort start ;; *) echo "Usage: /etc/init.d/snort {start|stop|restart|force-reload|reload}" exit 1 ;; esac exit 0 -------------------------- /etc/snort/snort.conf.eth0 -------------------------- var HOME_NET xxx.xxx.xxx.xxx/24 var EXTERNAL_NET !$HOME_NET var SMTP $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var DNS_SERVERS [xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx] var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 include /etc/snort/common/common.inc # # Include classification & priority settings # include classification.config # # Customize the rule set # include bad-traffic.rules include exploit.rules include scan.rules include finger.rules include ftp.rules include telnet.rules include smtp.rules include rpc.rules include rservices.rules include dos.rules include ddos.rules include dns.rules include tftp.rules include web-cgi.rules include web-coldfusion.rules include web-frontpage.rules include web-iis.rules include web-misc.rules include web-attacks.rules include sql.rules include x11.rules include icmp.rules include netbios.rules include misc.rules include attack-responses.rules # include backdoor.rules # include shellcode.rules # include policy.rules # include porn.rules # include info.rules # include icmp-info.rules # include virus.rules include local.rules ---------------------------- /etc/snort/common/common.inc ---------------------------- # common variables pass ICMP $HOME_NET any -> $HOME_NET any pass TCP $HOME_NET any -> $HOME_NET any pass UDP $HOME_NET any -> $HOME_NET any # preprocessors preprocessor frag2 preprocessor stream4: detect_scans preprocessor stream4_reassemble preprocessor unidecode: 80 -unicode -cginull preprocessor rpc_decode: 111 preprocessor bo: -nobrute preprocessor telnet_decode # output plugins output database: log, mysql, user=snort password= dbname=snort_log host=localhost ===== Adam Shephard -- Nothing exceeds like excess -- __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort not logging to MySQL Adam Shephard (Feb 10)
- <Possible follow-ups>
- Re: Snort not logging to MySQL Adam Shephard (Feb 12)