FW: [Snort-users] Beginner Help...

support at ...9768... support at ...9768...
Thu Jul 31 19:18:03 EDT 2003


 

I've set up 3 boxes in 10 days using that acid/rh9.0 howto (my first 3)- and
each time the same thing happened to me.  Check your MySQL snort dbase, and
the table called 'events'  if (after running Nessus/NMAP at your sensor) the
table's empty, it's that snort isn't writing to the dbase. (this was the
case for me)
    I double checked everything to no avail (i did have a MySQL user named
snort who has/had INSERT rights like the howto said...)
 
as a work-around:  in the snort.conf file, if i switch the mySQL user to
'root' instead of 'snort'  and then snort can write to MySQL, and ACID has
some data to display.
 
OT: -how big a security issue is this?
 
Fernando

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Stevo
Sent: Thursday, July 31, 2003 5:50 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Beginner Help...


Hey All,
 
Sorry for the stupid questions... and I have RTFM'ed, but I just need some
quick answers!!
 
I've got Snort setup as per the http://www.snort.org/docs/snort_acid_rh9.pdf
instructions... but I don't see any Alert at all in Acid.  
 
I have 2 interfaces in my Snort box, one for management and one for
sniffing.  The sniffer interface is connected to a switch (Cat4006) and I'm
spanning our uplink port to the sniffer interface.  I know that's working
because if I do a tcpdump -i eth1 (the sniffer interface) I see ALL the
traffic from our network...
 
Snort is running and supposibly logging the my mysql db - should I see the
number of records increasing in a certain table to make sure the data is in
fact being logged there successfully??  I've been using Retina to scan my
network to attempt to generate alerts, but that hasn't worked.  Is there
another tool I could use to generate "naughty" traffic??
 
Does anyone have any thing else I can check??  
 
Thanks
 
Stevo
 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030731/b73d01a8/attachment.html>


More information about the Snort-users mailing list