[Snort-users] FW: Not logging to MYSQL

Jeremy Campbell jrcampbell at ...9062...
Tue Apr 29 05:20:27 EDT 2003


Found the problem,

Works fine when I leave out the "-A fast" in the command line...


-----Original Message-----
From: Jeremy Campbell 
Sent: Monday, April 28, 2003 2:25 PM
To: 'snort-users at lists.sourceforge.net'
Subject: Not logging to MYSQL


I'm having trouble getting Snort to log to MySQL.  I don't seem to be
getting any errors indicating why.  I'm running FreeBSD, installed Snort out
of the ports WITH_MYSQL=yes so the mysql client is installed.  MySQL client
works because I can type 'mysql -h database blah blah'

/usr/local/share/snort/snort.conf | grep output

output database: log, mysql, user=******** password=******** dbname=snort
host=*.*.*.* detail=full

Starting Snort with:

/usr/local/bin/snort -A fast -l /usr/local/var/log/snort-ext -c
/usr/local/share/snort/snort.conf -i xl0 -D

Getting in /var/log/messages when I start snort:

Apr 28 14:08:11 sb_fw /kernel: xl0: promiscuous mode enabled Apr 28 14:08:11
sb_fw snort: Initializing daemon mode Apr 28 14:08:11 sb_fw snort: PID path
stat checked out ok, PID path set to /var/run/ Apr 28 14:08:11 sb_fw snort:
Writing PID "72238" to file "/var/run//snort_xl0.pid" Apr 28 14:08:11 sb_fw
snort: http_decode arguments:
Apr 28 14:08:11 sb_fw snort:     Unicode decoding
Apr 28 14:08:11 sb_fw snort:     IIS alternate Unicode decoding
Apr 28 14:08:11 sb_fw snort:     IIS double encoding vuln
Apr 28 14:08:11 sb_fw snort:     Flip backslash to slash
Apr 28 14:08:11 sb_fw snort:     Include additional whitespace separators
Apr 28 14:08:11 sb_fw snort:     Ports to decode http on: 80
Apr 28 14:08:11 sb_fw snort: rpc_decode arguments:
Apr 28 14:08:11 sb_fw snort:     Ports to decode RPC on: 111 32771
Apr 28 14:08:11 sb_fw snort:     alert_fragments: INACTIVE
Apr 28 14:08:11 sb_fw snort:     alert_large_fragments: ACTIVE
Apr 28 14:08:11 sb_fw snort: telnet_decode arguments:
Apr 28 14:08:11 sb_fw snort:     Ports to decode telnet on: 21 23 25 119
Apr 28 14:08:11 sb_fw snort: command line overrides rules file alert plugin!


Using tcpdump, I don't see any traffic to or from the SNORT box on the MYSQL
box, it's just not even trying to send anything out...

Snort does log to /usr/local/var/log/snort-ext/alert

Thanks,

Jeremy...




More information about the Snort-users mailing list