[Snort-users] Snort 2.0 as a Windows Service??

Erek Adams erek at ...950...
Wed Apr 23 09:32:05 EDT 2003


On Wed, 23 Apr 2003, Michael Steele wrote:

> How can you tell he has two output database plugins?

Looking at the output there are two sets of data for DB.

> > database: compiled support for ( mysql odbc )
> > database: configured to use mysql
> > database:          user = snort
> > database: password is set
> > database: database name = snort
> > database:          host = 127.0.0.1
> > database:          port = 3306
> > database:   sensor name = Websrv15e
> > database:     sensor id = 2
> > database: schema version = 106
> > database: using the "alert" facility
> > database: compiled support for ( mysql odbc )
> > database: configured to use mysql
> > database:          user = snort
> > database: database name = snort
> > database:          host = 127.0.0.1
> > database:          port = 3306
> > database:   sensor name = Websrv15e
> > ERROR: database: mysql_error: Access denied for user:

Two sets of the info from DB plugin means 2 sets of DB plugin lines.  :)

> In my documentation it specifies two output database lines. 0ne is alert
> and the other is log.

Ummm...  Why?  That's a bit redundant.  If you look at this [0], you'll
see how the DB plugin deals with it.

  "The database plugin is something of an anomaly because it doesn't
  separate the two functionalities very much.  The "log" option attaches
  the log facility and the "alert" option attaches it to the alert
  facility.  What this means in practical terms is that if the db plugin
  is in alert mode, it will only receive output from alert rules, whereas
  if it's in "log" mode it will receive output from both log and alert
  rules."

So you don't need two DB lines.  That's wasting time, effort, CPU, and
network.  If you 'want everything', then just use 'log' instead of
'alert'.

> If he is using my docs, leave in both line, but make sure the syntax is
> correct. I'm assuming he has failed to properly setup the users in the
> database.

Nope.  That's not it.  If it was, would his first DB line work at all?  :)
It's something in the second DB output line that's causing the error.

> He can also execute his run line with a -T at the end but most likely
> won't get much more information. He can also check the Application log
> and see what it's reporting.

-T would probably give more data that EventLog, but that's a guess
from someone w/o a Win32 machine.   :)

Hope that helps!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list