[Snort-users] All alerts not getting logged to MySQL??

Alan Kloster akloster at ...6903...
Sun Sep 15 18:29:41 EDT 2002


Here are some details:

Snort started with the following command line:

/usr/local/bin/snort -o -i eth1 -d -D -c /usr/local/snort/snort.conf

Database output plug in conf:

output database: log, mysql, dbname=snort user=snort password=snort host=192.168
.xxx.xx sensor_name=s-1 port=3306 detail=full

Snort version is 1.8.7 on Redhat Linux -> MySQL, Acid on WIN2K with IIS

Okay here's the rub:

If I tail the /var/log/snort/alert and watch the alerts scroll across I see a bunch of
FTP Exploit CWD Overflow alerts almost constantly.  When I go back and look at
the database using ACID, I only see the first alert of this type since I restarted Snort,
but a wc-l on /var/log/snort/alert shows 642 instances of the alert.  What gives?  All of the
other alert types appear in the database as they are added to /var/log/snort/alert.

Strange part #2 - I have another box set up with the same configuration, but it doesn't have this
problem.  I have compared the two snort.conf and snortd files and they appear to be the same.

Tried to set output database: alert.  That works and sends all of the alerts to the database, but
nothing gets logged to /var/log/snort/alert anymore which is something I want to see.  I also begin to
see all of the portscans as well in the database, which I really don't want to see.  Any help to solve
this mystery would be appreciated.

Also if anyone has a chart of what options cause what to happen when they are selected, it would
be helpful as I find the FAQ and other resources on the web to be very vague on what actually gets
logged when alert or log is selected.  Thanks for your help.  You guys are great and it's a great product!

More information about the Snort-users mailing list