[Snort-users] Not logging to MYSQL

Jeremy Campbell jrcampbell at ...9062...
Tue Apr 29 05:20:13 EDT 2003


I'm having trouble getting Snort to log to MySQL.  I don't seem to be
getting any errors indicating why.  I'm running FreeBSD, installed Snort out
of the ports WITH_MYSQL=yes so the mysql client is installed.  MySQL client
works because I can type 'mysql -h database blah blah'

/usr/local/share/snort/snort.conf | grep output

output database: log, mysql, user=******** password=******** dbname=snort
host=*.*.*.* detail=full

Starting Snort with:

/usr/local/bin/snort -A fast -l /usr/local/var/log/snort-ext -c
/usr/local/share/snort/snort.conf -i xl0 -D

Getting in /var/log/messages when I start snort:

Apr 28 14:08:11 sb_fw /kernel: xl0: promiscuous mode enabled
Apr 28 14:08:11 sb_fw snort: Initializing daemon mode
Apr 28 14:08:11 sb_fw snort: PID path stat checked out ok, PID path set to
/var/run/
Apr 28 14:08:11 sb_fw snort: Writing PID "72238" to file
"/var/run//snort_xl0.pid"
Apr 28 14:08:11 sb_fw snort: http_decode arguments:
Apr 28 14:08:11 sb_fw snort:     Unicode decoding
Apr 28 14:08:11 sb_fw snort:     IIS alternate Unicode decoding
Apr 28 14:08:11 sb_fw snort:     IIS double encoding vuln
Apr 28 14:08:11 sb_fw snort:     Flip backslash to slash
Apr 28 14:08:11 sb_fw snort:     Include additional whitespace separators
Apr 28 14:08:11 sb_fw snort:     Ports to decode http on: 80
Apr 28 14:08:11 sb_fw snort: rpc_decode arguments:
Apr 28 14:08:11 sb_fw snort:     Ports to decode RPC on: 111 32771
Apr 28 14:08:11 sb_fw snort:     alert_fragments: INACTIVE
Apr 28 14:08:11 sb_fw snort:     alert_large_fragments: ACTIVE
Apr 28 14:08:11 sb_fw snort: telnet_decode arguments:
Apr 28 14:08:11 sb_fw snort:     Ports to decode telnet on: 21 23 25 119
Apr 28 14:08:11 sb_fw snort: command line overrides rules file alert plugin!


Using tcpdump, I don't see any traffic to or from the SNORT box on the MYSQL
box, it's just not even trying to send anything out...

Snort does log to /usr/local/var/log/snort-ext/alert

Thanks,

Jeremy...




More information about the Snort-users mailing list