Snort mailing list archives

Re: mysql not logging alerts

From: James Riden <j.riden () massey ac nz>
Date: Wed, 09 Feb 2005 14:47:38 +1300

sEc nErD <umkcguy1978 () yahoo com> writes:

hi all
I am running snort on fedora ,everything is working
fine but somehow i can never make it to log to mysql
database,
i checked with the permissions for the snort user in
the database they are fine..i also checked mysqld is
running..then i checked my snort.conf to see if i hav
the right info...
i dunno how to troubleshoot this..wht other problems
could be there...or whre i shld see some logs to know
where am going wrong
thanks


Your /var/log/messages should look a bit like this, except with mysql
instead of postgres. (Debian might put it in /var/log/daemon.log or
somewhere else.)

Feb  9 03:58:41 it023072 snort-pgsql: ,-----------[Flow Config]----------------------
Feb  9 03:58:41 it023072 snort-pgsql: | Stats Interval:  0
Feb  9 03:58:41 it023072 snort-pgsql: | Hash Method:     2
Feb  9 03:58:41 it023072 snort-pgsql: | Memcap:          10485760
Feb  9 03:58:41 it023072 snort-pgsql: | Rows  :          4099
Feb  9 03:58:41 it023072 snort-pgsql: | Overhead Bytes:  16400(%0.16)
Feb  9 03:58:41 it023072 snort-pgsql: `----------------------------------------------
Feb  9 03:58:41 it023072 snort-pgsql: rpc_decode arguments:
Feb  9 03:58:41 it023072 snort-pgsql:     Ports to decode RPC on: 111 32771
Feb  9 03:58:41 it023072 snort-pgsql:     alert_fragments: INACTIVE
Feb  9 03:58:41 it023072 snort-pgsql:     alert_large_fragments: ACTIVE
Feb  9 03:58:41 it023072 snort-pgsql:     alert_incomplete: ACTIVE
Feb  9 03:58:41 it023072 snort-pgsql:     alert_multiple_requests: ACTIVE
Feb  9 03:58:41 it023072 snort-pgsql: telnet_decode arguments:
Feb  9 03:58:41 it023072 snort-pgsql:     Ports to decode telnet on: 21 23 25 119
Feb  9 03:58:41 it023072 postgres[16830]: [1-1] LOG:  connection received: host=aa.bb.cc.dd port=37378
Feb  9 03:58:41 it023072 postgres[16830]: [2-1] LOG:  connection authorized: user=XXXXX database=YYYY
Feb  9 03:58:42 it023072 snort-pgsql: Warning: flowbits key 'ssh.brute.attempt' is set but not ever checked.
Feb  9 03:58:42 it023072 snort-pgsql: Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Feb  9 03:58:42 it023072 snort-pgsql: Snort initialization completed successfully


Do you also have a line like this in your snort.conf ?

output database: log, postgresql, user=XXXXX dbname=YYYYY host=ZZZZZ sensor_name=AAAAA

cheers,
 Jamie
-- 
James Riden / j.riden () massey ac nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: Snort rules Hugo (Feb 08)
- RE: Snort rules sEc nErD (Feb 08)
  - RE: Snort rules Matt Kettler (Feb 08)
    - mysql not logging alerts sEc nErD (Feb 08)
    - Re: mysql not logging alerts James Riden (Feb 08)
- <Possible follow-ups>
- RE: Snort rules Chris Vaughan (Feb 08)