Snort mailing list archives

Re: Snort and MySQL

From: sEc nErD <umkcguy1978 () yahoo com>
Date: Tue, 8 Feb 2005 18:06:04 -0800 (PST)

ok below are the details of whtz up with my snort...it
is having all alerts in /var/log/snort/alert file

but just that nothing in mysql database.one thing
happened was mysql was not running ,then i started
mysqld from init.d  

since i started it aftre i was running snort..do i
need to stop and restart snort??so that it connects to
the database

if yes what would be the command for that!!





[root@localhost snort]# ps -ef| grep snort
snort     1791     1  0 08:42 ?        00:00:46
/usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g
snort -c /etc/snort/snort.conf -l /var/log/snort

[root@localhost snort]# ps -ef| grep mysql
root      2029     1  0 08:42 ?        00:00:00
/bin/sh /usr/bin/safe_mysqld
--defaults-file=/etc/my.cnf
mysql     2053  2029  0 08:42 ?        00:00:00
/usr/libexec/mysqld --defaults-file=/etc/my.cnf
--basedir=/usr --datadir=/var/lib/mysql --user=mysql
--pid-file=/var/run/mysqld/mysqld.pid --skip-locking



line in my snort.conf that i have uncommented:

output database: log, mysql, user=snort password=snort
dbname=snort host=localhost


output from /var/log/messages
Feb  8 14:49:48 localhost sshd(pam_unix)[3049]:
session opened for user root by (uid=0)
Feb  8 15:15:30 localhost mysqld: Starting MySQL: 
succeeded
Feb  8 16:32:24 localhost kernel: UDF-fs: No VRS found
Feb  8 16:33:59 localhost sshd(pam_unix)[2894]:
session closed for user root
Feb  8 16:34:01 localhost sshd(pam_unix)[3049]:
session closed for user root
Feb  8 16:34:47 localhost sshd(pam_unix)[3290]:
session opened for user root by (uid=0)
Feb  8 16:58:15 localhost sshd(pam_unix)[3375]:
session opened for user root by (uid=0)
Feb  8 17:06:49 localhost sshd(pam_unix)[3290]:
session closed for user root
Feb  8 17:06:54 localhost sshd(pam_unix)[3375]:
session closed for user root
Feb  8 19:56:25 localhost sshd(pam_unix)[3552]:
session opened for user root by (uid=0)







--- Robert Spangler <bms () zoominternet net> wrote:

On Sun August 29 2004 13:35, Robert Spangler wrote:

 I seem to be having a problem setting up snort to

use MySQL database.

I had an error in my snort.conf file

 snort.conf has the following entry:

===================================================

 output database: log, MySQL, user=snort,

password=******** dbname=snort

 host=localhost

===================================================

The above was placed in the wrong area of the
config.  When this was corrected 
snort seemed to run without any problems.


NOW


I don't think things are running correctly.  I run a
scan against my machine 
using CIS and it does it's reporting but I never see
anything in ACID or 
OpenAanval.

I used the following quick setup guide written by
Patrick Harper at 
http://www.internetsecurityguru.com/


-- 

Regards
Robert

Smile.....  It increases your face value.

-------------------------------------------------------

This SF.Net email is sponsored by BEA Weblogic
Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1
today.

http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://www.geocrawler.com/redir-sf.php3?list=snort-users



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Snort and MySQL sEc nErD (Feb 08)
- Re: Snort and MySQL James Riden (Feb 08)
- <Possible follow-ups>
- RE: Snort and MySQL Harper, Patrick (Feb 09)
  - RE: Snort and MySQL sEc nErD (Feb 09)
- RE: Snort and MySQL Joshua Berry (Feb 09)
  - RE: Snort and MySQL sEc nErD (Feb 10)