[Snort-users] All alerts not getting logged to MySQL??

WTWork securitygauntlet at ...3130...
Sun Sep 15 20:13:03 EDT 2002

Try changing this entry in RED

output database: alert, mysql, dbname=snort user=snort password=snort 
.xxx.xx sensor_name=s-1 port=3306 detail=full

At 10:06 AM 9/12/2002 -0500, Alan Kloster wrote:
>Here are some details:
>Snort started with the following command line:
>/usr/local/bin/snort -o -i eth1 -d -D -c /usr/local/snort/snort.conf
>Database output plug in conf:
>output database: log, mysql, dbname=snort user=snort password=snort 
>.xxx.xx sensor_name=s-1 port=3306 detail=full
>Snort version is 1.8.7 on Redhat Linux -> MySQL, Acid on WIN2K with IIS
>Okay here's the rub:
>If I tail the /var/log/snort/alert and watch the alerts scroll across I 
>see a bunch of
>FTP Exploit CWD Overflow alerts almost constantly.  When I go back and look at
>the database using ACID, I only see the first alert of this type since I 
>restarted Snort,
>but a wc-l on /var/log/snort/alert shows 642 instances of the alert.  What 
>gives?  All of the
>other alert types appear in the database as they are added to 
>Strange part #2 - I have another box set up with the same configuration, 
>but it doesn't have this
>problem.  I have compared the two snort.conf and snortd files and they 
>appear to be the same.
>Tried to set output database: alert.  That works and sends all of the 
>alerts to the database, but
>nothing gets logged to /var/log/snort/alert anymore which is something I 
>want to see.  I also begin to
>see all of the portscans as well in the database, which I really don't 
>want to see.  Any help to solve
>this mystery would be appreciated.
>Also if anyone has a chart of what options cause what to happen when they 
>are selected, it would
>be helpful as I find the FAQ and other resources on the web to be very 
>vague on what actually gets
>logged when alert or log is selected.  Thanks for your help.  You guys are 
>great and it's a great product!
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020915/d03efd82/attachment.html>

More information about the Snort-users mailing list