Snort mailing list archives

RE: Question about Snort/ACID/MySQL and portscans

From: "Slighter, Tim" <tslighter () itc nrcs usda gov>
Date: Fri, 25 Apr 2003 09:53:25 -0600

Not so sure about how this work in a windows environment, but in a linux
envrionment, the results have been "erratic".  For example, with Redhat 7.3
and the latest versions of all else (PHP, MySQL, ACID, Snort, etc...), the
alerts do appear to end up in both the snort database and the alert file.
However, the portscan alerts do not behave the same.  Sometimes the
portscans will show up in the alert file instead of portscan.log and when
that happens they do not appear in the ACID console.  Other times the
portscans do end up in the portscan.log file and are viewable in the ACID
console.  Anyone have a good explanation for this behavior?

-----Original Message-----
From: Michael Steele [mailto:michaels () silicondefense com]
Sent: Thursday, April 24, 2003 2:41 PM
To: 'Snow Jacob C KPWA'; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Question about Snort/ACID/MySQL and portscans



Jacob,

 

Remove the 'output database alert ...' line. By using 'output database log
...' you will be outputting to both types of logging (alert and log), and
yes it use the log file.

-Michael
--
 Michael Steele | System Engineer / Support Technician    
  mailto:michaels () silicondefense com <mailto:michaels () silicondefense com>

 Silicon Defense - The Cyber-War Defense Company
 Website: http://www.silicondefense.com <http://www.silicondefense.com> 
 Snort: Open Source Network IDS - http://www.snort.org
<http://www.snort.org> 

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Snow Jacob C
KPWA
Sent: Thursday, April 24, 2003 1:04 PM
To: 'snort-users () lists sourceforge net'; 'Michael Steele'
Subject: [Snort-users] Question about Snort/ACID/MySQL and portscans

 

Just a curious question when you have:

 

output database: log, mysql, user=snort1 password=test_snort dbname=snort
host=xxx.xxx.xxx.xxx port=3306 sensor_name=slave1

output database: alert, mysql, user=snort1 password=test_snort dbname=snort
host=xxx.xxx.xxx.xxx port=3306 sensor_name=slave1

 

in the snort.conf file will you get alerts in the log file as well?

 

I have installed the service with:

 

snort /service /install -o -l d:/applications/snort/log -c
d:/applications/snort/etc/snort.conf -d -i3

 

I am wondering why none of the port scans that happen are showing up in SQL
they are showing up in a text document in the log folder.  Hwo do I
configure the port scans to go to mysql so I can view them with acid?  I am
using snort 1.91 on win2k/xp.  The alerts work fine and I can view
everything with acid, except the port scans.  I can go into the log
directory and see the port scan listing.

 

 

Thank you,

 

Jacob Snow

jacobsc () kpt nuwc navy mil <mailto:jacobsc () kpt nuwc navy mil> 

(360)315-3487

NAVSEA Intern

Current thread:

Question about Snort/ACID/MySQL and portscans Snow Jacob C KPWA (Apr 24)
- RE: Question about Snort/ACID/MySQL and portscans Michael Steele (Apr 24)
- <Possible follow-ups>
- RE: Question about Snort/ACID/MySQL and portscans Slighter, Tim (Apr 25)