Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort 2.0 as a Windows Service??

From: Erek Adams <erek () snort org>
Date: Wed, 23 Apr 2003 12:29:01 -0400 (EDT)
On Wed, 23 Apr 2003, Michael Steele wrote:


How can you tell he has two output database plugins?


Looking at the output there are two sets of data for DB.


database: compiled support for ( mysql odbc )
database: configured to use mysql
database:          user = snort
database: password is set
database: database name = snort
database:          host = 127.0.0.1
database:          port = 3306
database:   sensor name = Websrv15e
database:     sensor id = 2
database: schema version = 106
database: using the "alert" facility
database: compiled support for ( mysql odbc )
database: configured to use mysql
database:          user = snort
database: database name = snort
database:          host = 127.0.0.1
database:          port = 3306
database:   sensor name = Websrv15e
ERROR: database: mysql_error: Access denied for user:


Two sets of the info from DB plugin means 2 sets of DB plugin lines.  :)


In my documentation it specifies two output database lines. 0ne is alert
and the other is log.


Ummm...  Why?  That's a bit redundant.  If you look at this [0], you'll
see how the DB plugin deals with it.

  "The database plugin is something of an anomaly because it doesn't
  separate the two functionalities very much.  The "log" option attaches
  the log facility and the "alert" option attaches it to the alert
  facility.  What this means in practical terms is that if the db plugin
  is in alert mode, it will only receive output from alert rules, whereas
  if it's in "log" mode it will receive output from both log and alert
  rules."

So you don't need two DB lines.  That's wasting time, effort, CPU, and
network.  If you 'want everything', then just use 'log' instead of
'alert'.


If he is using my docs, leave in both line, but make sure the syntax is
correct. I'm assuming he has failed to properly setup the users in the
database.


Nope.  That's not it.  If it was, would his first DB line work at all?  :)
It's something in the second DB output line that's causing the error.


He can also execute his run line with a -T at the end but most likely
won't get much more information. He can also check the Application log
and see what it's reporting.


-T would probably give more data that EventLog, but that's a guess
from someone w/o a Win32 machine.   :)

Hope that helps!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: