[Snort-users] snort won't log anything in mysql

alexus ml at ...1718...
Mon Apr 9 16:57:05 EDT 2001


yes, I went to that website and did all those steps..

mysql> select * from user where user='alexus';
+-----------+--------+------------------+-------------+-------------+-------
------+-------------+-------------+-----------+-------------+---------------
+--------------+-----------+------------+-----------------+------------+----
--------+
| Host      | User   | Password         | Select_priv | Insert_priv |
Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv |
Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv |
Index_priv | Alter_priv |
+-----------+--------+------------------+-------------+-------------+-------
------+-------------+-------------+-----------+-------------+---------------
+--------------+-----------+------------+-----------------+------------+----
--------+
| localhost | alexus | 34484ed463a66850 | Y           | Y           | N
| Y           | N           | N         | N           | N             | N
| N         | N          | N               | N          | N          |
+-----------+--------+------------------+-------------+-------------+-------
------+-------------+-------------+-----------+-------------+---------------
+--------------+-----------+------------+-----------------+------------+----
--------+
1 row in set (0.00 sec)

mysql>

here is snort without -D

su-2.04# snort -c snort.conf

        --== Initializing Snort ==--

Initializing Network Interface fxp0
Decoding Ethernet on interface fxp0
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = xxx
database: database name = xxx
database:          host = xxx
database: password is set
database:   sensor name = xxx.xx.xxx.xx
database:     sensor id = 1
database: using the "log" facility
845 Snort rules read...
845 Option Chains linked into 130 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->activation->dynamic->alert->log->pass->redalert

        --== Initialization Complete ==--

-*> Snort! <*-
Version 1.7
By Martin Roesch (roesch at ...66..., www.snort.org)





----- Original Message -----
From: "shawn . moyer" <shawn at ...1184...>
To: "alexus" <ml at ...1718...>
Cc: <snort-users at lists.sourceforge.net>; <roman at ...438...>
Sent: Monday, April 09, 2001 3:33 PM
Subject: Re: [Snort-users] snort won't log anything in mysql


> Have you followed all the docs to set the database up from
>
> http://www.incident.org/snortdb ?
>
> i.e. do you have a user in mysql that has create, insert, and select
> privileges, and have you ran the create_mysql script from the contrib
> directory?
>
> Also, you might try running snort in the foreground (without the -D) and
> see what messages you see.
>
>
>
> --shawn
>
> alexus wrote:
> >
> > mysql> select * from event;
> > Empty set (0.00 sec)
> >
> > mysql>
> >
> > when I used to use -s i saw snort messages there... but now no more
since i
> > remove -s
> >
> > ----- Original Message -----
> > From: <roman at ...438...>
> > To: "alexus" <ml at ...1718...>; "shawn . moyer"
<shawn at ...1184...>;
> > <snort-users at lists.sourceforge.net>
> > Sent: Monday, April 09, 2001 8:32 AM
> > Subject: Re: [Snort-users] SNORT WON'T LOG ANYTHING IN MYSQL
> >
> > > There is indeed a verbose mode in ACID.  Set $debug_mode=1
> > > in acid_conf.php.  However, I doubt this will help you much if
> > > Snort is not logging to the database correctly.  Try the following
> > > SQL from the mysql client:
> > >
> > > mysql> SELECT count(*) FROM event;
> > >
> > > If the count is 0, it is a safe bet that Snort is misconfigured.  As
> > > a side note, are you seeing these alerts in syslog or a flat file?
> > >
> > > Roman
> > >
> > > > i've tryed -Dc..
> > > >
> > > > I still dont think it logs anything...
> > > >
> > > > is there any verbose mode for acid? i can see what's goin on?
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "shawn . moyer" <shawn at ...1184...>
> > > > To: "alexus" <ml at ...1718...>
> > > > Cc: <snort-users at lists.sourceforge.net>
> > > > Sent: Monday, April 09, 2001 10:45 AM
> > > > Subject: Re: [Snort-users] SNORT WON'T LOG ANYTHING IN MYSQL
> > > >
> > > >
> > > > > alexus wrote:
> > > > >
> > > > > > snort -Dsc snort.conf
> > > > >
> > > > > < snort -Dsc snort.conf
> > > > > > snort -Dc snort.conf
> > > > >
> > > > > The -s tells it to log to syslog instead of what you specify in
> > > > > snort.conf.
> > > > >
> > > > > You know when you start it and you get the message that says
"Command
> > > > > line options override plugin(s)!"? That's why.
> > > > >
> > > > >
> > > > >
> > > > > p.s. CAPS = SHOUTING
> > > > >
> > > > > --shawn
> > > > >
> > > > > --
> > > > >
> > > > > s h a w n   m o y e r
> > > > > shawn at ...1184...
> > > > >
> > > > > "Nuclear war would really set back cable."
> > > > >                      -- Ted Turner
> > > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users at lists.sourceforge.net
> > > > Go to this URL to change user options or unsubscribe:
> > > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > >
> > >
> > >
> > >
> > > ---------------------------------------------
> > > This message was sent using Voicenet WebMail.
> > >       http://www.voicenet.com/webmail/
> > >
> > >
> > >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> --
>
> s h a w n   m o y e r
> shawn at ...1184...
>
> "Nuclear war would really set back cable."
>                      -- Ted Turner
>





More information about the Snort-users mailing list