[Snort-users] snort will not log to mysql

Hans Steinraht hsteinraht at ...9358...
Wed Jun 4 23:50:02 EDT 2003


This works, thanks.

On little question, in acid the bar for Portscan Traffic keeps the value 0%,
but when I click on it the scans are reported there.
Any idea how that comes

Hans


On Wed, Jun 04, 2003 at 07:48:07AM -0500, Bamm Visscher wrote:
> The portscan preprocs call the 'alert' function, not the 'log' function. Change your config so that the data base output plugin attaches to the 'alert' facility:
> 
>    output database: alert, mysql, user=snort password=snort dbname=snort host=localhost
> 
> Bammkkkk
> 
> On Tue, Jun 03, 2003 at 03:42:48PM +0200, Hans Steinraht wrote:
> > 
> > -- 
> > Hi,
> > 
> > i'm just started playing with snort (version 2.0.0-3.1) on Linux Debian.
> > 
> > When I add some rules like these in local.rules:
> >   #alert ip any any -> any any (msg:"Got an IP packet";)
> >   #alert tcp any any -> any any (msg:"Got an TCP packet";)
> >   #alert udp any any -> any any (msg:"Got an UDP packet";)
> >   #alert icmp any any -> any any (msg:"Got an ICMP packet";)
> > 
> > all kind of data is inserted in mysql.
> > 
> > 
> > When I remove the rules and do a scan to the firewall computer in our
> > network I see entrys like "[**] [117:1:1] (spp_portscan2) Portscan detected ....." in my alert.log
> > and in the portscan2.log, but nothing goes to mysql.
> > 
> > The snort.conf file I have looks like this:
> > 
> >   output database: log, mysql, user=snort password=snort dbname=snort
> >   host=localhost  
> > 
> >   preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit 5,
> >   port_limit 20, timeout 60, log portscan2.log
> > 
> > When I remove the option log from preprocessor portscan2 its going to log to
> > scan.log, but still not to mysql.
> > 
> > Does anyone has some advice for me on this.
> > 
> > thanks,
> > Hans
> >

-- 
_________________________
Hans Steinraht
Openlot
Wibautstraat 3
1091 GH Amsterdam
The Netherlands
hsteinraht at ...9358...
Phone:   +3120 596 1840
Fax:     +3120 596 3162
www.openlot.com
_________________________





More information about the Snort-users mailing list