[Snort-users] Snort 1.9 alert log problem

Bennett Todd bet at ...6163...
Mon Dec 9 13:55:03 EST 2002


2002-12-05-09:21:05 Schuler, Jeff:
> [...] The boxes log to a MySQL DB and to the local disk.  I then
> noticed that my alert file on each box was 1.4GB in size.  One
> of these boxes registers a few hundred hits a day, the other one
> maybe 3 hits per day, [...]

Is there any chance that (a) you're logging with MySQL off-machine,
and (b) the packets that are being logged to MySQL contain a string
that's re-triggering an alert, causing a loop?

If so, fixes would include (a) tightening the signature for the
looping alert so it won't match on the MySQL logging packet (if you
do this, do please submit the fix back, perhaps by emailing it to
the snort-sigs list); (b) disabling the sid that's looping (just
# it out in the rules file); (c) using a BPF rule to blind snort
to the outbound MySQL traffic; (d) moving the MySQL to the local
machine; and (e) tunneling the MySQL traffic through some encrypting
pipe like e.g. stunnel (for SSL) or ssh with port forwarding.

-Bennett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021209/e6fdb646/attachment.sig>


More information about the Snort-users mailing list