[Snort-users] Question about Snort/ACID/MySQL and portscans

Slighter, Tim tslighter at ...5174...
Fri Apr 25 08:56:09 EDT 2003


Not so sure about how this work in a windows environment, but in a linux
envrionment, the results have been "erratic".  For example, with Redhat 7.3
and the latest versions of all else (PHP, MySQL, ACID, Snort, etc...), the
alerts do appear to end up in both the snort database and the alert file.
However, the portscan alerts do not behave the same.  Sometimes the
portscans will show up in the alert file instead of portscan.log and when
that happens they do not appear in the ACID console.  Other times the
portscans do end up in the portscan.log file and are viewable in the ACID
console.  Anyone have a good explanation for this behavior?

-----Original Message-----
From: Michael Steele [mailto:michaels at ...155...]
Sent: Thursday, April 24, 2003 2:41 PM
To: 'Snow Jacob C KPWA'; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Question about Snort/ACID/MySQL and portscans



Jacob,

 

Remove the 'output database alert ...' line. By using 'output database log
...' you will be outputting to both types of logging (alert and log), and
yes it use the log file.

-Michael
--
 Michael Steele | System Engineer / Support Technician    
  mailto:michaels at ...155... <mailto:michaels at ...155...>

 Silicon Defense - The Cyber-War Defense Company
 Website: http://www.silicondefense.com <http://www.silicondefense.com> 
 Snort: Open Source Network IDS - http://www.snort.org
<http://www.snort.org> 

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Snow Jacob C
KPWA
Sent: Thursday, April 24, 2003 1:04 PM
To: 'snort-users at lists.sourceforge.net'; 'Michael Steele'
Subject: [Snort-users] Question about Snort/ACID/MySQL and portscans

 

Just a curious question when you have:

 

output database: log, mysql, user=snort1 password=test_snort dbname=snort
host=xxx.xxx.xxx.xxx port=3306 sensor_name=slave1

output database: alert, mysql, user=snort1 password=test_snort dbname=snort
host=xxx.xxx.xxx.xxx port=3306 sensor_name=slave1

 

in the snort.conf file will you get alerts in the log file as well?

 

I have installed the service with:

 

snort /service /install -o -l d:/applications/snort/log -c
d:/applications/snort/etc/snort.conf -d -i3

 

I am wondering why none of the port scans that happen are showing up in SQL
they are showing up in a text document in the log folder.  Hwo do I
configure the port scans to go to mysql so I can view them with acid?  I am
using snort 1.91 on win2k/xp.  The alerts work fine and I can view
everything with acid, except the port scans.  I can go into the log
directory and see the port scan listing.

 

 

Thank you,

 

Jacob Snow

jacobsc at ...160... <mailto:jacobsc at ...160...> 

(360)315-3487

NAVSEA Intern

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030425/5e50610f/attachment.html>


More information about the Snort-users mailing list