[Snort-users] Snort correctly logging to MySQL

Al.Wever at ...3765... Al.Wever at ...3765...
Mon Sep 23 09:31:02 EDT 2002


Hello all,
I have been using Snort successfully for some time now as a backup IDS to
our primary systems.  Now that we have some free equipment I decided to
install Snort on a Win2K server as a test.  Along with that I have
installed MySql and ACID on an IIS server to see what the performance
issues would be like.  So far I am very impressed, so impressed that I am
about to give our primary IDS a boot out the door, but... I cant.
During the testing phase I noticed the log file alert.ids was expanding
considerably.  After further investigation I have noticed that there are
alerts residing in the log file that are not in the MySQL database.  For
example, WEB-CGI phf access and WEB-MISC /etc/passwd.  Our primary IDS did
pickup on these attacks, but Snort has not transferred them into the ACID
database.
Does anyone have any thoughts as to why they were never sent to the MySQL
database?

Thanks in advance
Best regards,
Al Wever


Config info:

Snort.conf
output database: log, mysql, user=snort password=snort dbname=snort
host=localhost

Used to start Snort as a service.
snort -c c:\snort\snort.conf -l c:\snort\logs -i2





More information about the Snort-users mailing list