[Snort-users] MySQL Logging ?
snort-bipsen at ...4712...
Mon Jan 28 11:48:03 EST 2002
I tried to change the interface to the main interface on the PC, but that
didn't give me anything in the sql table either (sniffing in snortd set to
eth0 which I also use for communicating with the box through http and ssh) -
Trying to "fire" snot to trigger events in the database didn't help...
For some wierd reason it seems like bad traffic isn't always logged into my
syslog - guess I'll have to check up on things to ensure the basic
configuration is right (and my compile options has been set correctly).
> -----Original Message-----
> From: Erek Adams [mailto:erek at ...577...]
> Sent: 28. januar 2002 20:23
> To: Brian Ipsen
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] MySQL Logging ?
> On Mon, 28 Jan 2002, Brian Ipsen wrote:
> > where interface for test purposes has been set to lo
> This would be the issue. Loopbacks don't ever really pass
> any traffic.
> Normally the kernel will 'short-circuit' and bring them right
> back to the box,
> w/o hitting the pcap layer. If it doesn't hit the pcap
> layer, snort will
> never see it to log it, and you'll get nothing in the DB.
> Try your main ether and see what's going on. That should get
> you some traffic
> coming in....
> Easy test: Compare the output of "snort -dv -i
> <non-loopback>" to the output
> of "snort -dv -i <loopback>". Force some traffic over each
> interface (ping -i
> <if>) and see if there is a difference.
> Hope that helps!
> Erek Adams
More information about the Snort-users