[Snort-users] All alerts not getting logged to MySQL??

Goldmoon summer_beha at ...131...
Mon Sep 16 09:58:02 EDT 2002


Hi,

Is this the snort.conf in /usr/local/etc? Also, in
that database section, there are 4 entries of "output
database" should all of these by changed to match the
lines below?

Thanks!
--- WTWork <securitygauntlet at ...3130...> wrote:
> 
> 
> Try changing this entry in RED
> 
> output database: alert, mysql, dbname=snort
> user=snort password=snort 
> host=192.168
> .xxx.xx sensor_name=s-1 port=3306 detail=full
> 
> 
> At 10:06 AM 9/12/2002 -0500, Alan Kloster wrote:
> >Hello,
> >
> >Here are some details:
> >
> >Snort started with the following command line:
> >
> >/usr/local/bin/snort -o -i eth1 -d -D -c
> /usr/local/snort/snort.conf
> >
> >Database output plug in conf:
> >
> >output database: log, mysql, dbname=snort
> user=snort password=snort 
> >host=192.168
> >.xxx.xx sensor_name=s-1 port=3306 detail=full
> >
> >Snort version is 1.8.7 on Redhat Linux -> MySQL,
> Acid on WIN2K with IIS
> >
> >Okay here's the rub:
> >
> >If I tail the /var/log/snort/alert and watch the
> alerts scroll across I 
> >see a bunch of
> >FTP Exploit CWD Overflow alerts almost constantly. 
> When I go back and look at
> >the database using ACID, I only see the first alert
> of this type since I 
> >restarted Snort,
> >but a wc-l on /var/log/snort/alert shows 642
> instances of the alert.  What 
> >gives?  All of the
> >other alert types appear in the database as they
> are added to 
> >/var/log/snort/alert.
> >
> >Strange part #2 - I have another box set up with
> the same configuration, 
> >but it doesn't have this
> >problem.  I have compared the two snort.conf and
> snortd files and they 
> >appear to be the same.
> >
> >Tried to set output database: alert.  That works
> and sends all of the 
> >alerts to the database, but
> >nothing gets logged to /var/log/snort/alert anymore
> which is something I 
> >want to see.  I also begin to
> >see all of the portscans as well in the database,
> which I really don't 
> >want to see.  Any help to solve
> >this mystery would be appreciated.
> >
> >Also if anyone has a chart of what options cause
> what to happen when they 
> >are selected, it would
> >be helpful as I find the FAQ and other resources on
> the web to be very 
> >vague on what actually gets
> >logged when alert or log is selected.  Thanks for
> your help.  You guys are 
> >great and it's a great product!
> >
> >
>
>-------------------------------------------------------
> >This sf.net email is sponsored by:ThinkGeek
> >Welcome to geek heaven.
> >http://thinkgeek.com/sf
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or
> unsubscribe:
>
>https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list
> 


__________________________________________________
Do you Yahoo!?
Yahoo! News - Today's headlines
http://news.yahoo.com




More information about the Snort-users mailing list