[Snort-users] loggin to mySQL

Jason Lewis jlewis at ...1831...
Sun Jun 17 15:07:32 EDT 2001


What is in snort.conf?

Jason Lewis
http://www.packetnexus.com
It's not secure "Because they told me it was secure". The people at the
other end of the link know less about security than you do. And that's
scary.



-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Blake
Frantz
Sent: Sunday, June 17, 2001 2:53 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] loggin to mySQL



Hello,

I'm having a problem getting snort to log to mySQL.  Everything is being
logged to /var/log/snort.  Below are the details, any help is appreciated.

This is what snort says when I fire it up with :
'snort -c snort.conf -i eth1'

Initializing rule chains...
database: compiled support for ( mysql postgresql )
database: configured to use mysql
database:          user = snort
database: database name = snort
database:          host = localhost
database:   sensor name = 192.168.69.99
database:     sensor id = 2
database: using the "log" facility
633 Snort rules read...
633 Option Chains linked into 631 Chain Headers
0 Dynamic rules

This is the access mySQL says user snort has on dB 'snort' :

Access-rights
for USER 'snort', from HOST 'localhost', to DB 'snort'
        +-----------------+---+ +-----------------+---+
        | Select_priv     | Y | | Shutdown_priv   | N |
        | Insert_priv     | Y | | Process_priv    | N |
        | Update_priv     | N | | File_priv       | N |
        | Delete_priv     | N | | Grant_priv      | N |
        | Create_priv     | Y | | References_priv | N |
        | Drop_priv       | N | | Index_priv      | N |
        | Reload_priv     | N | | Alter_priv      | N |
        +-----------------+---+ +-----------------+---+
BEWARE:  Everybody can access your DB as user `snort' from host
`localhost'
      :  WITHOUT supplying a password.
      :  Be very careful about it!!

The following rules are used:
db  :'localhost','snort','snort','Y','Y','N','N','Y','N','N','N','N','N'
host:'Not processed: host-field is not empty in db-table.'
user:'localhost','snort','','N','N','N','N','N','N','N','N','N','N','N','N',
'N','N'


This is how I have loggin setup in my snort.conf:
ruletype log2mySQL
{
  type log
  output database: log, mysql, user=snort dbname=snort host=localhost
}


This is what snort says fter I kill the process :
Snort received 152661 packets and dropped 0(0.000%) packets

Breakdown by protocol:                Action Stats:
    TCP: 124175     (81.340%)         ALERTS: 3
    UDP: 26187      (17.154%)         LOGGED: 3
   ICMP: 1984       (1.300%)          PASSED: 0
    ARP: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 315        (0.206%)
DISCARD: 0          (0.000%)

So it *did* log data.


This is the result when I query my 'snort' dB from mysql :

mysql> use snort; select * from data;
Database changed
Empty set (0.00 sec)

mysql>

this is logged to /var/log/snort:

drwx------    2 root     root         4096 Jun 17 13:17 x.y.x.0
drwx------    2 root     root         4096 Jun 17 13:15 x.y.z.1
-rw-r--r--    1 root     root         1060 Jun 17 13:17 alert
-rw-r--r--    1 root     root            0 Jun 17 13:12 log
-rw-r--r--    1 root     root            0 Jun 17 13:12 portscan.log


Thanks in advance.

Blake




_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list