[Snort-users] snort won't log anything in mysql

Mark Buchanan markbuchanan at ...530...
Tue Apr 10 13:37:38 EDT 2001


  Ok, I'm gonna just take a stab at this, cause we had somthing like
this happen just a couple weeks ago...
  Have you checked all your rules to make sure that your variables are
all defined...  We had one variable that had two characters reversed,
and for some reason, we seemed to keep looking at the DB stuff...  Only
until someone did a sanity check on the rules file did we find it... 
(for some reason snort didn't report those errors verbosely)...
  Just my 2 cents...
Mark

alexus wrote:
> 
> this is ldd output for you
> 
> bash-2.04$ ldd /usr/local/bin/snort
> /usr/local/bin/snort:
>         libpcap.so.2 => /usr/lib/libpcap.so.2 (0x28102000)
>         libm.so.2 => /usr/lib/libm.so.2 (0x2811b000)
>         libmysqlclient.so.10 =>
> /usr/local/mysql/lib/mysql/libmysqlclient.so.10 (0x28136000)
>         libc.so.4 => /usr/lib/libc.so.4 (0x28151000)
>         libz.so.2 => /usr/lib/libz.so.2 (0x281e6000)
>         libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x281f3000)
> bash-2.04$
> 
> heh ok
> 
> i'm goin try snort-daily.tar.gz now..
> ----- Original Message -----
> From: "shawn . moyer" <shawn at ...1184...>
> To: "alexus" <ml at ...1718...>
> Cc: "Roman Danyliw" <roman at ...438...>; <joey at ...47...>;
> <snort-users at lists.sourceforge.net>
> Sent: Tuesday, April 10, 2001 1:21 AM
> Subject: Re: [Snort-users] snort won't log anything in mysql
> 
> >
> > Prolly on snort.org as well, but I usually get it from the Sourceforge
> > page:
> >
> > http://snort.sourceforge.net/snort-daily.tar.gz
> >
> > Okay, one more: can you paste the output of "ldd /your/path/to/snort" ?
> > Just curious.
> >
> > Man, when you *do* get this working, please post to the list. This has
> > got to be the longest installation-type support thread I've seen.
> >
> >
> >
> > --shawn
> >
> >
> > alexus wrote:
> > >
> > > i'm wondering how exactly you detect that my version of spo_database.c
> is
> > > old..
> > >
> > > and another question how can i update my spo_database.c ?
> > >
> > > although i got snort 1.7
> > >
> > > i dont see any newer snort version on their website
> > >
> > > ----- Original Message -----
> > > From: "Roman Danyliw" <roman at ...438...>
> > > To: "alexus" <ml at ...1718...>; "shawn . moyer"
> <shawn at ...1184...>;
> > > <joey at ...47...>
> > > Cc: <snort-users at lists.sourceforge.net>
> > > Sent: Monday, April 09, 2001 11:43 PM
> > > Subject: RE: [Snort-users] snort won't log anything in mysql
> > >
> > > > The database plug-in (spo_database.c) in the latest version of Snort
> from
> > > > CVS
> > > >
> > > > > -----Original Message-----
> > > > > From: alexus [mailto:ml at ...1718...]
> > > > > Sent: Monday, April 09, 2001 10:19 PM
> > > > > To: Roman Danyliw; shawn . moyer; joey at ...47...
> > > > > Cc: snort-users at lists.sourceforge.net
> > > > > Subject: Re: [Snort-users] snort won't log anything in mysql
> > > > >
> > > > >
> > > > > i run snort 1.7
> > > > > i run acid 0.9.6b7
> > > > > i run adodb 095
> > > > > i run mysql 3.23.36
> > > > >
> > > > > all latest software...
> > > > >
> > > > > which DB plug-in are we talking about?
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Roman Danyliw" <roman at ...438...>
> > > > > To: "alexus" <ml at ...1718...>; "shawn . moyer"
> > > <shawn at ...1184...>;
> > > > > <joey at ...47...>
> > > > > Cc: <snort-users at lists.sourceforge.net>
> > > > > Sent: Monday, April 09, 2001 8:27 PM
> > > > > Subject: RE: [Snort-users] snort won't log anything in mysql
> > > > >
> > > > >
> > > > > > From your snort output, it looks like you are not running the
> > > > > latest code
> > > > > in
> > > > > > CVS (i.e.: not the latest DB plug-in code).  Check the latest copy
> and
> > > > > then
> > > > > > try Joe's test case.
> > > > > >
> > > > > > Roman
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: alexus [mailto:ml at ...1718...]
> > > > > > > Sent: Monday, April 09, 2001 4:57 PM
> > > > > > > To: shawn . moyer
> > > > > > > Cc: snort-users at lists.sourceforge.net; roman at ...438...
> > > > > > > Subject: Re: [Snort-users] snort won't log anything in mysql
> > > > > > >
> > > > > > >
> > > > > > > yes, I went to that website and did all those steps..
> > > > > > >
> > > > > > > mysql> select * from user where user='alexus';
> > > > > > >
> +-----------+--------+------------------+-------------+-----------
> > > > > > > --+-------
> > > > > >
> > ------+-------------+-------------+-----------+-------------+-----
> > > > > > > ----------
> > > > > > >
> +--------------+-----------+------------+-----------------+-------
> > > > > > > -----+----
> > > > > > > --------+
> > > > > > > | Host      | User   | Password         | Select_priv |
> Insert_priv
> > > |
> > > > > > > Update_priv | Delete_priv | Create_priv | Drop_priv |
> Reload_priv |
> > > > > > > Shutdown_priv | Process_priv | File_priv | Grant_priv |
> > > > > References_priv
> > > > > |
> > > > > > > Index_priv | Alter_priv |
> > > > > > >
> +-----------+--------+------------------+-------------+-----------
> > > > > > > --+-------
> > > > > >
> > ------+-------------+-------------+-----------+-------------+-----
> > > > > > > ----------
> > > > > > >
> +--------------+-----------+------------+-----------------+-------
> > > > > > > -----+----
> > > > > > > --------+
> > > > > > > | localhost | alexus | 34484ed463a66850 | Y           | Y
> > > > >       | N
> > > > > > > | Y           | N           | N         | N           | N
> > > > >         |
> > > > > N
> > > > > > > | N         | N          | N               | N          | N
> > > |
> > > > > > >
> +-----------+--------+------------------+-------------+-----------
> > > > > > > --+-------
> > > > > >
> > ------+-------------+-------------+-----------+-------------+-----
> > > > > > > ----------
> > > > > > >
> +--------------+-----------+------------+-----------------+-------
> > > > > > > -----+----
> > > > > > > --------+
> > > > > > > 1 row in set (0.00 sec)
> > > > > > >
> > > > > > > mysql>
> > > > > > >
> > > > > > > here is snort without -D
> > > > > > >
> > > > > > > su-2.04# snort -c snort.conf
> > > > > > >
> > > > > > >         --== Initializing Snort ==--
> > > > > > >
> > > > > > > Initializing Network Interface fxp0
> > > > > > > Decoding Ethernet on interface fxp0
> > > > > > > Initializing Preprocessors!
> > > > > > > Initializing Plug-ins!
> > > > > > > Initializating Output Plugins!
> > > > > > >
> > > > > > > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > > > > > > Initializing rule chains...
> > > > > > > database: compiled support for ( mysql )
> > > > > > > database: configured to use mysql
> > > > > > > database:          user = xxx
> > > > > > > database: database name = xxx
> > > > > > > database:          host = xxx
> > > > > > > database: password is set
> > > > > > > database:   sensor name = xxx.xx.xxx.xx
> > > > > > > database:     sensor id = 1
> > > > > > > database: using the "log" facility
> > > > > > > 845 Snort rules read...
> > > > > > > 845 Option Chains linked into 130 Chain Headers
> > > > > > > 0 Dynamic rules
> > > > > > > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > > > > > >
> > > > > > > Rule application
> > > > > order: ->activation->dynamic->alert->log->pass->redalert
> > > > > > >
> > > > > > >         --== Initialization Complete ==--
> > > > > > >
> > > > > > > -*> Snort! <*-
> > > > > > > Version 1.7
> > > > > > > By Martin Roesch (roesch at ...66..., www.snort.org)
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > ----- Original Message -----
> > > > > > > From: "shawn . moyer" <shawn at ...1184...>
> > > > > > > To: "alexus" <ml at ...1718...>
> > > > > > > Cc: <snort-users at lists.sourceforge.net>; <roman at ...438...>
> > > > > > > Sent: Monday, April 09, 2001 3:33 PM
> > > > > > > Subject: Re: [Snort-users] snort won't log anything in mysql
> > > > > > >
> > > > > > >
> > > > > > > > Have you followed all the docs to set the database up from
> > > > > > > >
> > > > > > > > http://www.incident.org/snortdb ?
> > > > > > > >
> > > > > > > > i.e. do you have a user in mysql that has create, insert, and
> > > select
> > > > > > > > privileges, and have you ran the create_mysql script from
> > > > > the contrib
> > > > > > > > directory?
> > > > > > > >
> > > > > > > > Also, you might try running snort in the foreground (without
> > > the -D)
> > > > > and
> > > > > > > > see what messages you see.
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --shawn
> > > > > > > >
> > > > > > > > alexus wrote:
> > > > > > > > >
> > > > > > > > > mysql> select * from event;
> > > > > > > > > Empty set (0.00 sec)
> > > > > > > > >
> > > > > > > > > mysql>
> > > > > > > > >
> > > > > > > > > when I used to use -s i saw snort messages there... but
> > > > > now no more
> > > > > > > since i
> > > > > > > > > remove -s
> > > > > > > > >
> > > > > > > > > ----- Original Message -----
> > > > > > > > > From: <roman at ...438...>
> > > > > > > > > To: "alexus" <ml at ...1718...>; "shawn . moyer"
> > > > > > > <shawn at ...1184...>;
> > > > > > > > > <snort-users at lists.sourceforge.net>
> > > > > > > > > Sent: Monday, April 09, 2001 8:32 AM
> > > > > > > > > Subject: Re: [Snort-users] SNORT WON'T LOG ANYTHING IN MYSQL
> > > > > > > > >
> > > > > > > > > > There is indeed a verbose mode in ACID.  Set $debug_mode=1
> > > > > > > > > > in acid_conf.php.  However, I doubt this will help you
> much if
> > > > > > > > > > Snort is not logging to the database correctly.  Try
> > > > > the following
> > > > > > > > > > SQL from the mysql client:
> > > > > > > > > >
> > > > > > > > > > mysql> SELECT count(*) FROM event;
> > > > > > > > > >
> > > > > > > > > > If the count is 0, it is a safe bet that Snort is
> > > misconfigured.
> > > > > As
> > > > > > > > > > a side note, are you seeing these alerts in syslog or a
> > > > > flat file?
> > > > > > > > > >
> > > > > > > > > > Roman
> > > > > > > > > >
> > > > > > > > > > > i've tryed -Dc..
> > > > > > > > > > >
> > > > > > > > > > > I still dont think it logs anything...
> > > > > > > > > > >
> > > > > > > > > > > is there any verbose mode for acid? i can see what's
> goin
> > > on?
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > ----- Original Message -----
> > > > > > > > > > > From: "shawn . moyer" <shawn at ...1184...>
> > > > > > > > > > > To: "alexus" <ml at ...1718...>
> > > > > > > > > > > Cc: <snort-users at lists.sourceforge.net>
> > > > > > > > > > > Sent: Monday, April 09, 2001 10:45 AM
> > > > > > > > > > > Subject: Re: [Snort-users] SNORT WON'T LOG ANYTHING IN
> MYSQL
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > > alexus wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > > snort -Dsc snort.conf
> > > > > > > > > > > >
> > > > > > > > > > > > < snort -Dsc snort.conf
> > > > > > > > > > > > > snort -Dc snort.conf
> > > > > > > > > > > >
> > > > > > > > > > > > The -s tells it to log to syslog instead of what you
> > > specify
> > > > > in
> > > > > > > > > > > > snort.conf.
> > > > > > > > > > > >
> > > > > > > > > > > > You know when you start it and you get the message
> that
> > > says
> > > > > > > "Command
> > > > > > > > > > > > line options override plugin(s)!"? That's why.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > p.s. CAPS = SHOUTING
> > > > > > > > > > > >
> > > > > > > > > > > > --shawn
> > > > > > > > > > > >
> > > > > > > > > > > > --
> > > > > > > > > > > >
> > > > > > > > > > > > s h a w n   m o y e r
> > > > > > > > > > > > shawn at ...1184...
> > > > > > > > > > > >
> > > > > > > > > > > > "Nuclear war would really set back cable."
> > > > > > > > > > > >                      -- Ted Turner
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > _______________________________________________
> > > > > > > > > > > Snort-users mailing list
> > > > > > > > > > > Snort-users at lists.sourceforge.net
> > > > > > > > > > > Go to this URL to change user options or unsubscribe:
> > > > > > > > > > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > > > > > > > Snort-users list archive:
> > > > > > > > > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > ---------------------------------------------
> > > > > > > > > > This message was sent using Voicenet WebMail.
> > > > > > > > > >       http://www.voicenet.com/webmail/
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > > _______________________________________________
> > > > > > > > > Snort-users mailing list
> > > > > > > > > Snort-users at lists.sourceforge.net
> > > > > > > > > Go to this URL to change user options or unsubscribe:
> > > > > > > > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > > > > > Snort-users list archive:
> > > > > > > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > >
> > > > > > > > s h a w n   m o y e r
> > > > > > > > shawn at ...1184...
> > > > > > > >
> > > > > > > > "Nuclear war would really set back cable."
> > > > > > > >                      -- Ted Turner
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > --
> >
> > s h a w n   m o y e r
> > shawn at ...1184...
> >
> > "Nuclear war would really set back cable."
> >                              -- Ted Turner
> >
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list