Snort mailing list archives
RE: Question about Snort/ACID/MySQL and portscans
From: "Slighter, Tim" <tslighter () itc nrcs usda gov>
Date: Fri, 25 Apr 2003 09:53:25 -0600
Not so sure about how this work in a windows environment, but in a linux envrionment, the results have been "erratic". For example, with Redhat 7.3 and the latest versions of all else (PHP, MySQL, ACID, Snort, etc...), the alerts do appear to end up in both the snort database and the alert file. However, the portscan alerts do not behave the same. Sometimes the portscans will show up in the alert file instead of portscan.log and when that happens they do not appear in the ACID console. Other times the portscans do end up in the portscan.log file and are viewable in the ACID console. Anyone have a good explanation for this behavior? -----Original Message----- From: Michael Steele [mailto:michaels () silicondefense com] Sent: Thursday, April 24, 2003 2:41 PM To: 'Snow Jacob C KPWA'; snort-users () lists sourceforge net Subject: RE: [Snort-users] Question about Snort/ACID/MySQL and portscans Jacob, Remove the 'output database alert ...' line. By using 'output database log ...' you will be outputting to both types of logging (alert and log), and yes it use the log file. -Michael -- Michael Steele | System Engineer / Support Technician mailto:michaels () silicondefense com <mailto:michaels () silicondefense com> Silicon Defense - The Cyber-War Defense Company Website: http://www.silicondefense.com <http://www.silicondefense.com> Snort: Open Source Network IDS - http://www.snort.org <http://www.snort.org> -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Snow Jacob C KPWA Sent: Thursday, April 24, 2003 1:04 PM To: 'snort-users () lists sourceforge net'; 'Michael Steele' Subject: [Snort-users] Question about Snort/ACID/MySQL and portscans Just a curious question when you have: output database: log, mysql, user=snort1 password=test_snort dbname=snort host=xxx.xxx.xxx.xxx port=3306 sensor_name=slave1 output database: alert, mysql, user=snort1 password=test_snort dbname=snort host=xxx.xxx.xxx.xxx port=3306 sensor_name=slave1 in the snort.conf file will you get alerts in the log file as well? I have installed the service with: snort /service /install -o -l d:/applications/snort/log -c d:/applications/snort/etc/snort.conf -d -i3 I am wondering why none of the port scans that happen are showing up in SQL they are showing up in a text document in the log folder. Hwo do I configure the port scans to go to mysql so I can view them with acid? I am using snort 1.91 on win2k/xp. The alerts work fine and I can view everything with acid, except the port scans. I can go into the log directory and see the port scan listing. Thank you, Jacob Snow jacobsc () kpt nuwc navy mil <mailto:jacobsc () kpt nuwc navy mil> (360)315-3487 NAVSEA Intern
Current thread:
- Question about Snort/ACID/MySQL and portscans Snow Jacob C KPWA (Apr 24)
- RE: Question about Snort/ACID/MySQL and portscans Michael Steele (Apr 24)
- <Possible follow-ups>
- RE: Question about Snort/ACID/MySQL and portscans Slighter, Tim (Apr 25)