[Snort-users] SNORT WON'T LOG ANYTHING IN MYSQL

Joe McAlerney joey at ...47...
Mon Apr 9 18:45:31 EDT 2001


If you wanted to specify a certain set of rules to only log to syslog
and the database, then yes.  Otherwise, you can just add the output
lines to your configuration file and completely bypass making an
additional rule type.

output alert_syslog: LOG_AUTH LOG_ALERT
output database: log, mysql, user=xxx dbname=xxx host=xxx password=xxxx

I suspect this is what you are trying to do.  Other people have been
confused with the ruletype example in the supplied snort.conf file as
well.  I'm guessing that seeing the two (popular) output types in that
example could lead one to believe that is the simplest/best way to use
them together.

-Joe M.

-- 
|   Joe McAlerney     joey at ...155...   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+

alexus wrote:
> 
> no .. that i didn't do...
> 
> where were i supposte to change alert to redalert?
> 
> ----- Original Message -----
> From: "Joe McAlerney" <joey at ...47...>
> To: "alexus" <ml at ...1718...>
> Cc: <snort-users at lists.sourceforge.net>
> Sent: Monday, April 09, 2001 5:45 PM
> Subject: Re: [Snort-users] SNORT WON'T LOG ANYTHING IN MYSQL
> 
> > Did you change your snort rule actions to type "redalert" instead of
> > "alert"?
> >
> > redalert tcp any any -> any any (msg:"Hi, I was set off by a redalert
> > rule";)
> >
> > Hope this helps,
> >
> > -Joe M.
> >
> > --
> > |   Joe McAlerney     joey at ...155...   |
> > | Silicon Defense - Technical Support for Snort |
> > |       http://www.silicondefense.com/          |
> > +--                                           --+
> >
> > alexus wrote:
> > >
> > > my snort won't log anything in log
> > >
> > > part of my snort.conf
> > >
> > > ruletype redalert
> > > {
> > >   type alert
> > >   output alert_syslog: LOG_AUTH LOG_ALERT
> > >   output database: log, mysql, user=xxx dbname=xxx host=xxx
> password=xxxx
> > > }
> > >
> > > what am i missing?
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list