[Snort-users] [snort-mysql] logging OK to logfile, not to mysql database

Michel Christophe tofm2 at ...1855...
Thu Dec 4 02:07:01 EST 2003


Le jeu 04/12/2003 à 06:33, Michael Steele a écrit :
> Try manually running Snort with your existing run line but tag a -T to the
> end. This might give you what you need to know.
> 
> Also try a tcpdump on the port to make sure the alerts are actually getting
> to the database.
> 
> Cheers...
> 
> -The WINSNORT.com Management Team

Hello and thanks for answers

the /etc/init.d/snortd command for starting snort in my distribution is
the following:

daemon /usr/sbin/snort -u snort -g snort -s -d -D -i eth0 -l
/var/log/snort -c /etc/snort/snort.conf

when I try launching it with the -T tag from the command line after I
stopped the current running daemon, i have nothing at all, it seems to
suggest that my config is OK

[root at ...10652... cm]# service snortd stop
Stopping snort:                                                 [  OK  ]

[root at ...10652... cm]# /usr/sbin/snort -u snort -g snort -s -d -D -i eth0 -l
/var/log/snort -c /etc/snort/snort.conf -T
[root at ...10652... cm]#

(Nothing)

[root at ...10652... cm]# ps -aux | grep snort
Warning: bad syntax, perhaps a bogus '-'? See
http://procps.sf.net/faq.html
root     16705  0.0  0.1  2020  760 pts/3    R    10:11   0:00 grep
snort
[root at ...10652... cm]#

and furthermore, no current snort processes are loaded into memory (see
above)

What makes me think there is a problem is that i cannot find any lines
within /etc/snort/snort.conf) relying to the logger process contained in
snort-mysql rpm.
In fact, this rpm contains only one binary, called snort-mysql

[root at ...10652... cm]# rpm -ql snort-mysql
/usr/sbin/snort-mysql

after I checked, i could find a link to /usr/sbin/snort-mysql called
/usr/sbin/snort

( /usr/sbin/snort points to /usr/sbin/snort-mysql)

therefore the process launcher 

daemon /usr/sbin/snort -u snort -g snort -s -d -D -i eth0
-l/var/log/snort -c /etc/snort/snort.conf 

from /etc/init.d/snortd points to /usr/sbin/snort-mysql

so, in that case, why nothing ever happens in my snort database ??? 

I really cannot understand this

I would like to give you some tcpdumps for better understandings, but to
do this, I would need a little help (i am BAD to tcpdumps)

My snort daemon is on the same machine than the MySQL server, so how can
I fiddle with tcpdump options (port=3306 and interface=lo i presume, but
how would you configure tcpdump for such a task ???)

I will perform an access to a forbidden directory on my apache server
from the internet for the tcpdump.

Thanks for help



thanks for clues



-- 
Michel Christophe <tofm2 at ...1855...>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message num?riquement sign?e
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20031204/afe81c9b/attachment.sig>


More information about the Snort-users mailing list