Snort mailing list archives

RE: [snort-mysql] logging OK to logfile, not to mysql database

From: Michel Christophe <tofm2 () yahoo fr>
Date: Thu, 04 Dec 2003 11:06:11 +0100

Le jeu 04/12/2003 à 06:33, Michael Steele a écrit :

Try manually running Snort with your existing run line but tag a -T to the
end. This might give you what you need to know.

Also try a tcpdump on the port to make sure the alerts are actually getting
to the database.

Cheers...

-The WINSNORT.com Management Team


Hello and thanks for answers

the /etc/init.d/snortd command for starting snort in my distribution is
the following:

daemon /usr/sbin/snort -u snort -g snort -s -d -D -i eth0 -l
/var/log/snort -c /etc/snort/snort.conf

when I try launching it with the -T tag from the command line after I
stopped the current running daemon, i have nothing at all, it seems to
suggest that my config is OK

[root@msi cm]# service snortd stop
Stopping snort:                                                 [  OK  ]

[root@msi cm]# /usr/sbin/snort -u snort -g snort -s -d -D -i eth0 -l
/var/log/snort -c /etc/snort/snort.conf -T
[root@msi cm]#

(Nothing)

[root@msi cm]# ps -aux | grep snort
Warning: bad syntax, perhaps a bogus '-'? See
http://procps.sf.net/faq.html
root     16705  0.0  0.1  2020  760 pts/3    R    10:11   0:00 grep
snort
[root@msi cm]#

and furthermore, no current snort processes are loaded into memory (see
above)

What makes me think there is a problem is that i cannot find any lines
within /etc/snort/snort.conf) relying to the logger process contained in
snort-mysql rpm.
In fact, this rpm contains only one binary, called snort-mysql

[root@msi cm]# rpm -ql snort-mysql
/usr/sbin/snort-mysql

after I checked, i could find a link to /usr/sbin/snort-mysql called
/usr/sbin/snort

( /usr/sbin/snort points to /usr/sbin/snort-mysql)

therefore the process launcher 

daemon /usr/sbin/snort -u snort -g snort -s -d -D -i eth0
-l/var/log/snort -c /etc/snort/snort.conf 

from /etc/init.d/snortd points to /usr/sbin/snort-mysql

so, in that case, why nothing ever happens in my snort database ??? 

I really cannot understand this

I would like to give you some tcpdumps for better understandings, but to
do this, I would need a little help (i am BAD to tcpdumps)

My snort daemon is on the same machine than the MySQL server, so how can
I fiddle with tcpdump options (port=3306 and interface=lo i presume, but
how would you configure tcpdump for such a task ???)

I will perform an access to a forbidden directory on my apache server
from the internet for the tcpdump.

Thanks for help



thanks for clues



-- 
Michel Christophe <tofm2 () yahoo fr>

Attachment: signature.asc
Description: Ceci est une partie de message numériquement signée

Current thread:

[snort-mysql] logging OK to logfile, not to mysql database Michel Christophe (Dec 03)
- Re: [snort-mysql] logging OK to logfile, not to mysql database Josh Berry (Dec 03)
  - RE: [snort-mysql] logging OK to logfile, not to mysql database Michael Steele (Dec 03)
    - RE: [snort-mysql] logging OK to logfile, not to mysql database Michel Christophe (Dec 04)