Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Random DB names!

From: Paul.Clements () saga co uk
Date: Mon, 21 Mar 2005 16:11:14 +0000
Hello all,

I've been using snort happily for the last 3 years or so but now I've run 
in to a strange problem.

Due to a comedy intergen gas release and power down in our Data Centre all 
6 of our snort probes and the Management server where stopped abruptly.

When I restarted the probes everything seems to be working as normal until 
we noticed we weren't receiving the volume of alerts that we are used too.

On closer inspection (using the -v and -T switches) we noticed that the 
database that some of the probes where logging to had changed from what 
had configured them to use from :-

database: compiled support for ( mysql )
database: configured to use mysql
database:          user = s^ort0n3
database: password is set
database: database name = snort
database:          host = XXX.XXX.XXX.XXX
database:   sensor name = XXXXX.saga.co.uk:eth1
database:     sensor id = 1
database: schema version = 106
database: using the "log" facility

to 

 find_sucess: 0 find_fail: 3 percent_success: (%0.000000) new_flows: 3
database: Closing connection to database "etected"

As you can see when I exit the probe it's reporting that its closing the 
connection to "etected" (on other probes the database has changed to other 
name et "ersion") and not "snort" as it's clearly set to log to in the 
snort.conf!?!?!? if it's trying to connect to the wrong DB why doesn't it 
refuse to start with a connection error??!?

I've tried the following :-

Restoring the snort.conf with a backup and a fresh copy - with no joy.
Dropping the annval and snort databases and recreating it -with no joy.
Reinstalling snort using the latest version - now interestedly this seems 
to work for a while then the same problem reoccurs!

We're running  :-

Probes :  Fedora 3, Mandrake and snort 2.3.1
Management Server : Fedora 3, apache, mysql, aanval and base.

Has anyone else had this problem?

Kind Regards

Paul
 

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager at postmaster.saga.co.uk.

This footnote also confirms that this email message has been swept by
Trend for the presence of computer viruses.

www.saga.co.uk
**********************************************************************
Previous By Date Next
Previous By Thread Next

Current thread: