Snort mailing list archives
RE: [snort-mysql] logging OK to logfile, not to mysql database
From: Michel Christophe <tofm2 () yahoo fr>
Date: Thu, 04 Dec 2003 11:06:11 +0100
Le jeu 04/12/2003 à 06:33, Michael Steele a écrit :
Try manually running Snort with your existing run line but tag a -T to the end. This might give you what you need to know. Also try a tcpdump on the port to make sure the alerts are actually getting to the database. Cheers... -The WINSNORT.com Management Team
Hello and thanks for answers the /etc/init.d/snortd command for starting snort in my distribution is the following: daemon /usr/sbin/snort -u snort -g snort -s -d -D -i eth0 -l /var/log/snort -c /etc/snort/snort.conf when I try launching it with the -T tag from the command line after I stopped the current running daemon, i have nothing at all, it seems to suggest that my config is OK [root@msi cm]# service snortd stop Stopping snort: [ OK ] [root@msi cm]# /usr/sbin/snort -u snort -g snort -s -d -D -i eth0 -l /var/log/snort -c /etc/snort/snort.conf -T [root@msi cm]# (Nothing) [root@msi cm]# ps -aux | grep snort Warning: bad syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html root 16705 0.0 0.1 2020 760 pts/3 R 10:11 0:00 grep snort [root@msi cm]# and furthermore, no current snort processes are loaded into memory (see above) What makes me think there is a problem is that i cannot find any lines within /etc/snort/snort.conf) relying to the logger process contained in snort-mysql rpm. In fact, this rpm contains only one binary, called snort-mysql [root@msi cm]# rpm -ql snort-mysql /usr/sbin/snort-mysql after I checked, i could find a link to /usr/sbin/snort-mysql called /usr/sbin/snort ( /usr/sbin/snort points to /usr/sbin/snort-mysql) therefore the process launcher daemon /usr/sbin/snort -u snort -g snort -s -d -D -i eth0 -l/var/log/snort -c /etc/snort/snort.conf from /etc/init.d/snortd points to /usr/sbin/snort-mysql so, in that case, why nothing ever happens in my snort database ??? I really cannot understand this I would like to give you some tcpdumps for better understandings, but to do this, I would need a little help (i am BAD to tcpdumps) My snort daemon is on the same machine than the MySQL server, so how can I fiddle with tcpdump options (port=3306 and interface=lo i presume, but how would you configure tcpdump for such a task ???) I will perform an access to a forbidden directory on my apache server from the internet for the tcpdump. Thanks for help thanks for clues -- Michel Christophe <tofm2 () yahoo fr>
Attachment:
signature.asc
Description: Ceci est une partie de message numériquement signée
Current thread:
- [snort-mysql] logging OK to logfile, not to mysql database Michel Christophe (Dec 03)
- Re: [snort-mysql] logging OK to logfile, not to mysql database Josh Berry (Dec 03)
- RE: [snort-mysql] logging OK to logfile, not to mysql database Michael Steele (Dec 03)
- RE: [snort-mysql] logging OK to logfile, not to mysql database Michel Christophe (Dec 04)
- RE: [snort-mysql] logging OK to logfile, not to mysql database Michael Steele (Dec 03)
- Re: [snort-mysql] logging OK to logfile, not to mysql database Josh Berry (Dec 03)