[Snort-users] Snort 1.8.2 + remote MySQL logging

Steve Wingate steve at ...4100...
Mon Nov 19 14:47:02 EST 2001


I'm trying to get my snort box to log to a MySQL server on the LAN. Upon starting snort, it seems to properly acknowledge the mysql support and the "snoop" utility on Solaris 8 shows a brief flurry of activity indicating the mysql is being logged into. I start snort with "snort -D -d -h 192.168.1.0/24 -c snort.conf" I can also manually log into the mysql server from the snort box. However after that, there doesn't seem to be "enough activity" to indicate that the data is actually going into the database. This is only a home LAN with a cable connection, but the alert & portscan.log files show frequent activity at the same time snoop shows no activity to the mysql server box. From reading docs I understand that portscan data isn't logged to mysql, but I'm thinking I should see all the attempted exploit activity on my webserver (WEB-IIS cmd.exe, WEB-FRONTPAGE, WEB-IIS CodeRed, etc) going to the database. The alert log shows quite a few of these entries. The webserver is apache so I'm not losing any sleep over the attempts.
I leave snoop running and it goes an hour or more w/o showing any activity after the client login, which I identify by the 3306 destination port in the snoop output.

The snort box is OpenBSD 2.9-stable running ipfilter
Snort version is 1.8.2 compiled from source with ./configure --with-mysql=/usr/local
The box has the MySQL 3.23.41 client only installed, which was installed from the OpenBSD ports tree.

The only mysql related entry I've made in snort.conf is shown below, host/user/pw changed to protect the innocent:

 	output database: log, mysql, user=skippy password=foobar dbname=snort host=mysqlbox

The "var blah" variables are as follows.
var HOME_NET 192.168.1.0/24
var EXTERNAL_NET any
var SMTP 192.168.1.1
var HTTP_SERVERS 192.168.1.1
var SQL_SERVERS 192.168.1.2
var DNS_SERVERS [24.5.156.15,24.5.156.17,192.168.1.1]
# the 24.x entries above are for my ISP

Am I missing anything obvious? Should there be any other mysql related entries in snort.conf? I'm not very good with snort or mysql....I know just enough to get them running and that's about it. TIA.





More information about the Snort-users mailing list