[Snort-users] preprocessor not logging into DB [SOLVED]

Federico Lombardo egopfe at ...125...
Thu Jan 16 06:26:03 EST 2003


It was stupid and simple to solve my problem;

Just insert:

output database: alert, mysql, user=snort dbname=snort_alert
host=192.168.0.2 password= sensor_name=fwint0

without any ruletype declaration.

Thank :-*


----- Original Message -----
From: "Federico Lombardo" <egopfe at ...125...>
To: <snort-users at lists.sourceforge.net>
Sent: Thursday, January 16, 2003 12:53 PM
Subject: [Snort-users] preprocessor not logging into DB


> Using snort 1.9.0 build 209 on a slackware 8.1 linux.
>
> Starting snort with: ./bin/snort -g snort -u snort -o -t /usr/snorteth0 -c
> ./ect/snort.conf -p -i eth0
>
>
>
> From my snort.conf:
>
>
>
> include ../rules/classification.config
>
> include ../rules/reference.config
>
>
>
> preprocessor http_decode: 80 443 3128 8080 unicode iis_alt_unicode
> double_encode iis_flip_slash full_whitespace
>
> preprocessor frag2: 16777216, 30
>
> preprocessor stream4: memcap 16777216, detect_state_problems
>
> preprocessor stream4_reassemble: serveronly 21 23 25 53 80 110 111 143 443
> 513 1433 2138 2255 5631 8080
>
> preprocessor rpc_decode: 111
>
> preprocessor bo: -nobrute
>
> var HOME_NET [81.113.172.0/27]
>
> preprocessor portscan: $HOME_NET 4 3 portscan.log
>
> preprocessor portscan-ignorehosts: 212.17.192.49 194.247.160.6
212.17.192.49
> 194.73.95.85 198.41.0.10 212.216.112.112 212.245.255.2 194.20.8.4
>
> # spade
>
> # arpspoof
>
> preprocessor arpspoof
>
> preprocessor telnet_decode
>
> #  LOGGING
>
>
>
> Various Variables Here
>
> ...
>
> ...
>
>
>
> ruletype clear
>
>  {
>
>    type pass output
>
>    output database: alert, mysql, user=snort dbname=snort_alert
> host=192.168.0.2 password= sensor_name=fwint0
>
> detail=full
>
>  }
>
>
>
> ruletype normal
>
>  {
>
>    type alert output
>
>    output database: alert, mysql, user=snort dbname=snort_alert
> host=192.168.0.2 password= sensor_name=fwint0
>
> detail=full
>
>  }
>
>
>
>
>
> ruletype redalert
>
>  {
>
>    type alert output
>
>    output database: alert, mysql, user=snort dbname=snort_alert
> host=192.168.0.2 password= sensor_name=fwint0
>
> detail=full
>
>    output trap_snmp: alert, 4, inform -v 2c -p 163 192.168.0.3 public
>
>  }
>
> ruletype archivio
>
>  {
>
>    type log output
>
>    output database: log, mysql, user=snort dbname=snort_log
host=192.168.0.2
> password= sensor_name=fwint0 detail=full
>
> }
>
>
>
>
>
> As you can see, I user the "alert" facility into the database ruletype
> declaration.
>
> The problem Is that snort continue to log preprocessor alerts into the
> /var/log/snort/alerts file!!!!
>
>
>
> I've realized that also rules declared with ruleaction "alert" are logged
> into the file and not in the Database. I think is better to create a
> ruletype called "alert" to log all of these into the dataset but, alert
> ruletype I always  already declared!
>
>
>
> How to solve these problems ??
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by: Thawte.com
> Understand how to protect your customers personal information by
implementing
> SSL on your Apache Web Server. Click here to get our FREE Thawte Apache
> Guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0029en
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list