[Snort-users] MySQL Logging ?

Brian Ipsen snort-bipsen at ...4712...
Mon Jan 28 11:48:03 EST 2002


Hi! 

I tried to change the interface to the main interface on the PC, but that 
didn't give me anything in the sql table either (sniffing in snortd set to 
eth0 which I also use for communicating with the box through http and ssh) - 
Trying to "fire" snot to trigger events in the database didn't help...
For some wierd reason it seems like bad traffic isn't always logged into my 
syslog - guess I'll have to check up on things to ensure the basic 
configuration is right (and my compile options has been set correctly). 

/Brian 

> -----Original Message-----
> From: Erek Adams [mailto:erek at ...577...]
> Sent: 28. januar 2002 20:23
> To: Brian Ipsen
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] MySQL Logging ? 
> 
> 
> On Mon, 28 Jan 2002, Brian Ipsen wrote: 
> 
> [...snip...] 
> 
> > where interface for test purposes has been set to lo 
> 
> This would be the issue.  Loopbacks don't ever really pass 
> any traffic.
> Normally the kernel will 'short-circuit' and bring them right 
> back to the box,
> w/o hitting the pcap layer.  If it doesn't hit the pcap 
> layer, snort will
> never see it to log it, and you'll get nothing in the DB. 
> 
> Try your main ether and see what's going on.  That should get 
> you some traffic
> coming in.... 
> 
> Easy test:  Compare the output of "snort -dv -i 
> <non-loopback>" to the output
> of "snort -dv -i <loopback>".  Force some traffic over each 
> interface (ping -i
> <if>) and see if there is a difference. 
> 
> Hope that helps! 
> 
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net 
> 
> 




More information about the Snort-users mailing list