Snort mailing list archives
RE: no alerts logged
From: "Michael Chapman" <MChapman () ascentmedia com>
Date: Fri, 16 Jan 2004 10:54:09 -0800
FWIW, I tried doing an strace -p on the mysql process, and I'm seeing nothing at all: select(5, [3 4], NULL, NULL, NULL And that's all she wrote ... nothing going on there! Michael -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Michael Chapman Sent: Friday, January 16, 2004 10:27 AM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] no alerts logged Well, I toasted the existing database, rebuilt them, and reinstalled Snort, complete with the latest set of rules (current) -- all to no avail. This is version 2.1.0. For the life of me, I cannot figure out why it refuses to log to MySQL, when it did before just perfectly. I know this isn't offering a tremendous amount of information at this point other than whining <g>, but I can certainly provide whatever anyone thinks would warrant inspection. Ummm ... help? Michael -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Michael Chapman Sent: Thursday, January 15, 2004 9:22 PM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] no alerts logged How bizarre ... I am experiencing the same thing, in terms of Snort not logging to MySQL. This was all working just fine -- I was working on trimming down some of the rules being loaded and redoing the http_inspect preprocessor. This, of course, necessitated many stop/starts of everything but nothing was monkeyed with on the database side. My Snort user can still connect and write to the database from a shell -- it's just not writing to the database! I did turn on the log output plugin briefly to verify that stuff was actually being dumped, which it is. It is off now, and my original snort.conf is in place. I'm exceedingly confused. Michael -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of M. Morgan Sent: Thursday, January 15, 2004 2:12 PM To: Mat Harris; snort-users () lists sourceforge net Subject: Re: [Snort-users] no alerts logged Mat, If both snort and the mysql database are running correctly try the following. -make sure the output plugin for snort is pointing to the correct database. -make sure that snort has the correct permissions (in MySQL) to access the "snort" database tables. -there should be a database user "snort" - and permissions for snort/snort_archive/snortcenter in the databse to allow user "snort" to write to the tables. One of the above may be causing your problem depending on your snort/database type setup. -----Original Message----- From: Mat Harris <mat.harris () genestate com> Sent: Jan 15, 2004 9:54 AM To: snort-users () lists sourceforge net Subject: [Snort-users] no alerts logged Hi, I have set up snort for the second time now using the pdf redhat howto. The first setup worked perfectly with acid and i loved it, but that machine died and so I am trying to install the replacement. I have followed the instruction (as far as I can see) to the letter, the same as last time, but on the new install, there is nothing being logged. Everything appears to be working perfectly, but nothing is sent to the mysql db except on one test portscan with nmap it logged 2 alerts for that. I am not very familiar with snort yet so I don't know what to provide to debug it and the keywords are too vague for a google/archive search. Please let me know what info to provide for debugging. I am running Redhat 7.3 (fully updated) with snort Version 2.0.5 (Build 98). Thanks in advance -- ----------------------------------------- + Mat Harrison | mat.harris () genestate com + | England, UK | matth () 3d-computers co uk | |--------------+--------------------------| + http://www.genestate.com + ---------------------------------------- ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- no alerts logged Mat Harris (Jan 15)
- <Possible follow-ups>
- Re: no alerts logged M. Morgan (Jan 15)
- Re: no alerts logged Mat Harris (Jan 15)
- portscan but no rules - Was: Re: no alerts logged Mat Harris (Jan 16)
- Re: no alerts logged Mat Harris (Jan 15)
- RE: no alerts logged Michael Chapman (Jan 15)
- RE: no alerts logged Michael Chapman (Jan 16)
- RE: no alerts logged Michael Chapman (Jan 16)