[Snort-users] can't log into MySQL database

Phil Wood cpw at ...440...
Fri Apr 27 10:00:34 EDT 2001


That's a common problem
On Fri, Apr 27, 2001 at 01:01:28PM +0800, Richard Liu wrote:
> I have a problem about snort log into MySQL database
> 
> snort version : 1.7
> MySQL version : 3.23.26
> 
> I have a simple test rule
> ----------------------------------------
> output database: log, mysql, user=snort dbname=snort host=localhost
> 
> 
> log tcp any 21 -> any any (msg:"FTP login incorrect"; flags:PA; content: "530 Lo
> gin incorrect";)
> alert tcp any 21 -> any any (msg:"FTP login incorrect"; flags:PA; content: "530
> Login incorrect";)
> ----------------------------------------
> I use README.database to create my database , but user name is snort
> 
> run snort with 
> ==============
> /usr/sbin/snort -u snort -g snort -s -d -i eth0 -l /var/log/snort -c /etc/snort/

This is a common problem.  When there are output configuration statements in
the configuration file, and you also specify an output (-s) configuration on
the command line.  The command line takes precedence (see WARNING).  
Consequently, the mysql stuff does not get utilized.  The suggestion I
see most often, after getting the feel of snort using command line options,
is to use the configuration file to define where output should go, and
what preprocessors to use, etc.

> rules
> ==============
> command
> 
> SNORT message is below
> -=====================-
> Initializing Network Interface eth0
> Decoding Ethernet on interface eth0
> Initializing Preprocessors!
> Initializing Plug-ins!
> Initializating Output Plugins!
> database(debug): database plugin is registered...
> 
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> WARNING: command line overrides rules file alert plugin!
> 2 Snort rules read...
> 2 Option Chains linked into 2 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> 
> Rule application order: ->activation->dynamic->alert->log->pass
> 
>         --== Initialization Complete ==--
> 
> -*> Snort! <*-
> Version 1.7
> By Martin Roesch (roesch at ...66..., www.snort.org)
> 
> -====================-
> I try to create a ftp connect to trigger SNORT rule
> 
> I can see a log in /var/log/snort , 
> but i can't get log in MySQL database snort.
> 
> does anyone can help me to solve this problem ?
> 
> --
> richliu: ICQ:4724847 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list