Snort mailing list archives

RE: Snort and MySQL

From: sEc nErD <umkcguy1978 () yahoo com>
Date: Thu, 10 Feb 2005 06:27:44 -0800 (PST)

Thanks Josh,indeed that was the problem.Thanks for your input on that one.


Joshua Berry <jberry () PENSON COM> wrote:

st1\:*{behavior:url(#default#ieooui) }
There is the problem.  Take out the A fast part.  When you use a logging method from the command line (the A 
options), it overrides the logging in the configuration file.

 

-----Original Message-----
From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of sEc 
nErD
Sent: Wednesday, February 09, 2005 9:52 AM
To: Harper, Patrick; Robert Spangler; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort and MySQL 

 

Thanks for your reply


i hav snort started as 


/usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort


 


Could you tell me how to restart it...coz am thinking /etc/init.d/snort restart


                                  or /etc/init.d/snortd restart


 


wht did is this??


if i do this will it still have the original parameters like snort -A -b -D and stuff


thanks



"Harper, Patrick" <Patrick.Harper () phns com> wrote:


If you just made the change, yes, restart it. 

Have you set up the user snort with the password of snort (or whatever
is in your snort.conf) in mysql yet? Have you set your permissions and
tables too?

-----Original Message-----
From: sEc nErD [mailto:umkcguy1978 () yahoo com] 
Sent: Tuesday, February 08, 2005 8:06 PM
To: Robert Spangler; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort and MySQL 

ok below are the details of whtz up with my snort...it
is having all alerts in /var/log/snort/alert file

but just that nothing in mysql database.one thing
happened was mysql was not running ,then i started
mysqld from init.d 

since i started it aftre i was running snort..do i
need to stop and restart snort??so that it connects to
the database

if yes what would be the command for that!!





[root@localhost snort]# ps -ef| grep snort
snort 1791 1 0 08:42 ? 00:00:46
/usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g
snort -c /etc/snort/snort.conf -l /var/log/snort

[root@localhost snort]# ps -ef| grep mysql
root 2029 1 0 08:42 ? 00:00:00
/bin/sh /usr/bin/safe_mysqld
--defaults-file=/etc/my.cnf
mysql 2053 2029 0 08:42 ? 00:00:00
/usr/libexec/mysqld --defaults-file=/etc/my.cnf
--basedir=/usr --datadir=/var/lib/mysql --user=mysql
--pid-file=/var/run/mysqld/mysqld.pid --skip-locking



line in my snort.conf that i have uncommented:

output database: log, mysql, user=snort password=snort
dbname=snort host=localhost


output from /var/log/messages
Feb 8 14:49:48 localhost sshd(pam_unix)[3049]:
session opened for user root by (uid=0)
Feb 8 15:15:30 localhost mysqld: Starting MySQL: 
succeeded
Feb 8 16:32:24 localhost kernel: UDF-fs: No VRS found
Feb 8 16:3 3:59 localhost sshd(pam_unix)[2894]:
session closed for user root
Feb 8 16:34:01 localhost sshd(pam_unix)[3049]:
session closed for user root
Feb 8 16:34:47 localhost sshd(pam_unix)[3290]:
session opened for user root by (uid=0)
Feb 8 16:58:15 localhost sshd(pam_unix)[3375]:
session opened for user root by (uid=0)
Feb 8 17:06:49 localhost sshd(pam_unix)[3290]:
session closed for user root
Feb 8 17:06:54 localhost sshd(pam_unix)[3375]:
session closed for user root
Feb 8 19:56:25 localhost sshd(pam_unix)[3552]:
session opened for user root by (uid=0)







--- Robert Spangler wrote:

On Sun August 29 2004 13:35, Robert Spangler wrote:

I seem to be having a problem setting up snort to

use MySQL database.

I had an error in my snort.conf file

snort.conf has the following entry:

===================================================

output database: log, MySQL, user=snort,

password=******** dbname=snort

host=localhost

===================================================

The above was placed in the wrong area of the
config. When this was corrected 
snort seemed to run without any problems.


NOW


I don't think things are running correctly. I run a
scan against my machine 
using CIS and it does it's reporting but I never see
anything in ACID or 
OpenAanval.

I used the following quick setup guide written by
Patrick Harper at 
http://www.internetsecurityguru.com/


-- 

Regards
Robert

Smile..... It increases your face value.

-------------------------------------------------------

This SF.Net email is sponsored by BEA Weblogic
Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1
today.

http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://www.geocrawler.com/redir-sf.php3?list=snort-users

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

-------------------------------------------------------
SF email is sponsored by - Th e IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Disclaimer:
This electronic message, including any attachments, is confidential and intended solely for use of the intended
recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by
applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have
received this message in error, please delete it an d notify the sender immediately.

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

Current thread:

Re: Snort and MySQL sEc nErD (Feb 08)
- Re: Snort and MySQL James Riden (Feb 08)
- <Possible follow-ups>
- RE: Snort and MySQL Harper, Patrick (Feb 09)
  - RE: Snort and MySQL sEc nErD (Feb 09)
- RE: Snort and MySQL Joshua Berry (Feb 09)
  - RE: Snort and MySQL sEc nErD (Feb 10)