[Snort-users] Arrrghhh!!...help..me...

Erek Adams erek at ...950...
Thu May 29 07:03:09 EDT 2003


On Wed, 28 May 2003, Tim wrote:

> Frustration has set in and the answer is problably under my nose and
> can't see it. I really need for someone to please point it out for me.
>
> I'm not new to snort or configuring ACID, MySQL with its accompanying
> programs in order to help view alerts in ACID.....ie., gd, php,
> phplot..etc. JPgraph is new and I haven't had a chance to play with
> it...yet..
>
> First, I'm running RH 7.3 completely updated through the RHN on two
> machines...hardware is exactly the same on both machines....plenty of
> processing power and memory......500mhz/256 MB and a 9GB IDE drive.
> Plenty for my little home-network-lab. The firewall is Iptables latest
> version on a separate machine with the same (3 NICs) hardware, totally
> setup and functional.
>
> On the snort (Version 2.0) machine I have 4 NICs one for management and
> the other three for the sensors.

[...snip...]

> This should be enough for me to be able to start snort and log alerts to
> the database and view them with ACID or at least I thought so. It seems
> that the sensors are being inserted to the mysql database, however they
> are not viewable through ACID and snort is not logging alerts to the
> database.....even though it does capture packets and they viewable real
> time through the output on screen...no error messages from anywhere that
> I have been able to see so far ("tail -100 /var/log/messages"). I know,
> I know, switch from log to alert in the output database line, but I have
> done that to no avail. Snort fires up correctly and the fact that the
> sensors are being inserted into the database shows me that their is
> connectivity with the MySQL snort database...I'm at a lost. Any help
> will be gratefully appreciated. I have re-installed the system twice now
> and on the brink of sheer frustration ... The funny thing is that I have
> installed the Snort/ACID IDS system prior to snort 2.0 with not much
> trouble on numerous occassions.

Ok, so check your DB.  Log in to MySQL and do a 'select * from sid' and
see what you get.  If you get anything, then Snort is sending the data to
the DB.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list