[Snort-users] All alerts not getting logged to MySQL??

WTWork securitygauntlet at ...3130...
Sun Sep 15 20:13:03 EDT 2002



Try changing this entry in RED

output database: alert, mysql, dbname=snort user=snort password=snort 
host=192.168
.xxx.xx sensor_name=s-1 port=3306 detail=full


At 10:06 AM 9/12/2002 -0500, Alan Kloster wrote:
>Hello,
>
>Here are some details:
>
>Snort started with the following command line:
>
>/usr/local/bin/snort -o -i eth1 -d -D -c /usr/local/snort/snort.conf
>
>Database output plug in conf:
>
>output database: log, mysql, dbname=snort user=snort password=snort 
>host=192.168
>.xxx.xx sensor_name=s-1 port=3306 detail=full
>
>Snort version is 1.8.7 on Redhat Linux -> MySQL, Acid on WIN2K with IIS
>
>Okay here's the rub:
>
>If I tail the /var/log/snort/alert and watch the alerts scroll across I 
>see a bunch of
>FTP Exploit CWD Overflow alerts almost constantly.  When I go back and look at
>the database using ACID, I only see the first alert of this type since I 
>restarted Snort,
>but a wc-l on /var/log/snort/alert shows 642 instances of the alert.  What 
>gives?  All of the
>other alert types appear in the database as they are added to 
>/var/log/snort/alert.
>
>Strange part #2 - I have another box set up with the same configuration, 
>but it doesn't have this
>problem.  I have compared the two snort.conf and snortd files and they 
>appear to be the same.
>
>Tried to set output database: alert.  That works and sends all of the 
>alerts to the database, but
>nothing gets logged to /var/log/snort/alert anymore which is something I 
>want to see.  I also begin to
>see all of the portscans as well in the database, which I really don't 
>want to see.  Any help to solve
>this mystery would be appreciated.
>
>Also if anyone has a chart of what options cause what to happen when they 
>are selected, it would
>be helpful as I find the FAQ and other resources on the web to be very 
>vague on what actually gets
>logged when alert or log is selected.  Thanks for your help.  You guys are 
>great and it's a great product!
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020915/d03efd82/attachment.html>


More information about the Snort-users mailing list