[Snort-users] Arrrghhh!!...help..me...

Jason Boykin getmesecure at ...131...
Thu May 29 08:24:05 EDT 2003

--- Erek Adams <erek at ...950...> wrote:
> On Wed, 28 May 2003, Tim wrote:
> > Frustration has set in and the answer is problably
> under my nose and
> > can't see it. I really need for someone to please
> point it out for me.
> >
> > I'm not new to snort or configuring ACID, MySQL
> with its accompanying
> > programs in order to help view alerts in
> ACID.....ie., gd, php,
> > phplot..etc. JPgraph is new and I haven't had a
> chance to play with
> > it...yet..
> >
> > First, I'm running RH 7.3 completely updated
> through the RHN on two
> > machines...hardware is exactly the same on both
> machines....plenty of
> > processing power and memory......500mhz/256 MB and
> a 9GB IDE drive.
> > Plenty for my little home-network-lab. The
> firewall is Iptables latest
> > version on a separate machine with the same (3
> NICs) hardware, totally
> > setup and functional.
> >
> > On the snort (Version 2.0) machine I have 4 NICs
> one for management and
> > the other three for the sensors.
> [...snip...]
> > This should be enough for me to be able to start
> snort and log alerts to
> > the database and view them with ACID or at least I
> thought so. It seems
> > that the sensors are being inserted to the mysql
> database, however they
> > are not viewable through ACID and snort is not
> logging alerts to the
> > database.....even though it does capture packets
> and they viewable real
> > time through the output on screen...no error
> messages from anywhere that
> > I have been able to see so far ("tail -100
> /var/log/messages"). I know,
> > I know, switch from log to alert in the output
> database line, but I have
> > done that to no avail. Snort fires up correctly
> and the fact that the
> > sensors are being inserted into the database shows
> me that their is
> > connectivity with the MySQL snort database...I'm
> at a lost. Any help
> > will be gratefully appreciated. I have
> re-installed the system twice now
> > and on the brink of sheer frustration ... The
> funny thing is that I have
> > installed the Snort/ACID IDS system prior to snort
> 2.0 with not much
> > trouble on numerous occassions.

I set up snort to log to postgres but I found  that if
I told set the "alert_port" in acid_conf.php to 5432
acid wouldnt connect to the database.  If I left it
blank it worked fine.

Check your database to see if snort is logging to it. 
If not run snort from command line like you normally
would minus -D (daemon mode) and put a -T at the end
of it.  This will have snort start up then stop and
give you some diagnostic info.  It will tell you if
snort is able to connect or not.  If it is connecting
then thats good.

Mine was connecting but not logging.  It turned out it
would not log using -A fast.  Also check for a line
that looks like this:
output database: log, mysql, user=root password=test
dbname=db host=localhost

and set it up for your server.

Heres what I used for postgres:
output database: alert, postgresql, dbname=xxx
user=xxx password=xxx  host=localhost port=5432

Hope this helps.  I spent a lot of time trying to get
it working because of 2 small problems.  Good luck.

Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).

More information about the Snort-users mailing list