[Snort-users] DB Problem (long lines)

Jan Gruber jan.gruber at ...9200...
Fri May 16 03:26:06 EDT 2003


Hi!

Im nearly at the point to bang my head against the wall.
Hopefully somebody can prevent that.

I get alerts logged into syslog, but not into mysql

The snort user has all needed perms in the db, I tested it from the mysql console. 
He can insert, delete, create, update, index etc.pp. in the snort db.
INSERT INTO event ....  works ok from the commandline.

* Config:

FreeBSD 4.8

Snort 2.0.0 (plain source or patched for port-build, makes no difference)
- compiled with mysql-support, double checked that
- snort conf output plugins
 output database: alert, mysql, user=snortuser password=snortpasswd dbname=snort host=localhost sensor_name=sensor
 output alert_syslog: LOG_AUTH LOG_ALERT

mysql Ver 3.23.55 for portbld-freebsd4.8

snort cmdline:
/usr/local/bin/snort -u snort -g snort -D -I -i dc0 -N -c /usr/local/etc/snort/snort.conf


mysql log on snort startup:
030516 10:57:11      14 Connect     snort at ...274... on snort
                     14 Query       SELECT sid FROM sensor WHERE hostname = 'xxx.xxx.xxx.xxx' AND interface = 'fxp0' AND detail = '1' AND encoding = '0' AND filter IS NULL                     14 Query       SELECT last_cid FROM sensor WHERE sid = '5'
                     14 Query       SELECT MAX(cid) FROM event WHERE sid = '5'
                     14 Query       SELECT vseq FROM schema
030516 10:57:12      15 Connect     snort at ...274... on snort
                     15 Query       SELECT sid FROM sensor WHERE hostname = 'xxx.xxxxxxxx.xxx:dc0' AND interface = 'dc0' AND detail = '1' AND encoding = '0' AND filter IS NULL
                     15 Query       SELECT last_cid FROM sensor WHERE sid = '1'
                     15 Query       SELECT MAX(cid) FROM event WHERE sid = '1'
                     15 Query       SELECT vseq FROM schema
030516 10:57:13      16 Connect     snort at ...274... on snort
                     16 Query       SELECT sid FROM sensor WHERE hostname = 'xxx.xxxxxxxx.xxx:dc1' AND interface = 'dc1' AND detail = '1' AND encoding = '0' AND filter IS NULL
                     16 Query       SELECT last_cid FROM sensor WHERE sid = '2'
                     16 Query       SELECT MAX(cid) FROM event WHERE sid = '2'
                     16 Query       SELECT vseq FROM schema

Obviously mysql connect is ok, but no alerts get logged into the database.
Any hint is appreciated.

TIA
Jan
-- 
Jan Gruber              Primacom AG
Central Systems

Office: +49 (341) 609 524 53
Fax:	+49 (341) 609 525 17

cat /dev/world | perl -e "while (<>) {(/(^.*?\?) 42\!/) && (print $1)}"
errors->(c)
- 




More information about the Snort-users mailing list