Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Trouble to log trace into database

From: "Jeff Dell" <jdell () activeworx com>
Date: Sat, 20 Nov 2004 12:34:24 -0500
This is a common problem. It is most likely having a problem with
checksums.. Try adding the option '-k none' to the line that you start snort
with. i.e.:
C:\Snort\bin>snort -r c:\trace.eth -c c:\Snort\etc\snort-mod.conf \
-l c:\Snort\log -k none

Cheers,
Jeff


-----Original Message-----
From: snort-users-admin () lists sourceforge net 
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Juan
Sent: Friday, November 05, 2004 7:25 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Trouble to log trace into database

Hi,
I have a trace file with some packets I am trying to analyze. 
I am trying to
load the trace into a mysql database but nothing gets logged. 
My rules file looks like this:
# RULES
log tcp any any -> any any
log udp any any -> any any

And if I just run snort without loading from file, this rules 
logs every tcp
and udp header just fine into the database. Now when I run:
C:\Snort\bin>snort -r c:\trace.eth -c c:\Snort\etc\snort-mod.conf \
      -l c:\Snort\log

I do not get any error but nothing gets logged to the 
database. See below
Can anyone give me a hint of what am I doing wrong?

Thanks,
J


======================================================================
database: compiled support for ( mysql odbc )
database: configured to use mysql
database:          user = snort
database: password is set
database: database name = snort
database:          host = localhost
database:   sensor name = TRUSS:[reading from a file]
database:     sensor id = 2
database: schema version = 106
database: using the "log" facility
2 Snort rules read...
2 Option Chains linked into 2 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
+-----------------------[thresholding-config]-----------------
--------------
---
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]-----------------
--------------
---
| none
+-----------------------[thresholding-local]------------------
--------------
---
| none
+-----------------------[suppression]-------------------------
--------------
---
| none
--------------------------------------------------------------
--------------
---
Rule application order: ->activation->dynamic->alert->pass->log
        --== Initialization Complete ==--
-*> Snort! <*-
Version 2.2.0-ODBC-MySQL-FlexRESP-WIN32 (Build 30)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
1.7-WIN32 Port By Michael Davis (mike () datanerds net,
www.datanerds.net/~mike)
1.8 - 2.x WIN32 Port By Chris Reid 
(chris.reid () codecraftconsultants com)
Run time for packet processing was 0.501000 seconds
==============================================================
==============
Snort processed 84158 packets.
==============================================================
=============
Breakdown by protocol:
    TCP: 53451     (17.356%)
    UDP: 28239     (37.124%)
   ICMP: 13803      (1.561%)
    ARP: 3240       (0.231%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 8916       (1.008%)
DISCARD: 377709     (42.720%)
==============================================================
==============
===
Action Stats:
ALERTS: 0
LOGGED: 0
PASSED: 0
==============================================================
==============
===
Final Flow Statistics
,----[ FLOWCACHE STATS ]----------
Memcap: 10485760 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1)
Overhead
blocks: 1 Could Hold: (0)
IPV4 count: 0 frees: 0 low_time: 0, high_time: 0, diff: 0h:00:00s
    finds: 0 reversed: 0(%0.000000)
    find_sucess: 0 find_fail: 0 percent_success: (%0.000000) 
new_flows: 0
database: Closing connection to database ""
Snort exiting




-------------------------------------------------------
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






-------------------------------------------------------
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: