Snort mailing list archives

Re: v2.8.4 incorrect logging to MySQL

From: JJ Cummings <cummingsj () gmail com>
Date: Fri, 10 Apr 2009 13:14:02 -0700

Use barnyard.... Or another utility like snort-unified-perl to read  
snort unifiedx output and send to mysql.... That would be the correct  
way to do it.

Sent from the iRoad

On Apr 10, 2009, at 9:52 AM, "Danny Paul" <JDPAUL () GoColumbiaMO com>  
wrote:

It appears that version 2.8.4 does not properly log to mysql. I have  
the following line in my config file (***** = redacted):

output database: log, mysql, user=***** password=*****  
dbname=snortdb host=localhost sensor_name=***** encoding=hex  
detail=full

The tables are empty when snort is started.

When I start snort, it does start making entries into the event,  
tcphdr, iphdr, and data tables. However, it never makes an entry for  
itself in the sensor table and never inserts anything into the  
signature table. That means that there is no way to correlate events  
to the sensor that generated them or the signature triggering the  
alert.  I logged all MySQL queries to confirm this behavior. Snort  
will query the sensor and signature tables but never inserts. What  
could be the cause of this?


Particulars:
OpenSuSE 11.1
Snort 2.8.4
Mysql 5.0.67
Phil Wood's libpcap ver:0.9.8.20081128


Snort compiled from source using configuration directives:
--with-mysql
--enable-dynamicplugin
--with-libpcap-libraries=/usr/local/lib
--with-libpcap-includes=/path/to/libpcap-0.9.8.20081128



Thanks,
Danny Paul


** Virus scanned by City of Columbia MO Email Firewall **

--- 
--- 
--- 
---------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

v2.8.4 incorrect logging to MySQL Danny Paul (Apr 10)
- Re: v2.8.4 incorrect logging to MySQL JJ Cummings (Apr 10)
  - Re: v2.8.4 incorrect logging to MySQL Danny Paul (Apr 11)
    - Re: v2.8.4 incorrect logging to MySQL Stephen Reese (Apr 11)
    - Re: v2.8.4 incorrect logging to MySQL Danny Paul (Apr 11)
    - Re: v2.8.4 incorrect logging to MySQL Stephen Reese (Apr 11)
    - Re: v2.8.4 incorrect logging to MySQL Stephen Reese (Apr 11)
    - Re: v2.8.4 incorrect logging to MySQL Matt Watchinski (Apr 11)
    - Re: v2.8.4 incorrect logging to MySQL Stephen Reese (Apr 11)
    - Re: v2.8.4 incorrect logging to MySQL Danny Paul (Apr 13)
    - Re: v2.8.4 incorrect logging to MySQL James Lay (Apr 13)
    - Re: v2.8.4 incorrect logging to MySQL Joel Esler (Apr 13)

(Thread continues...)