[Snort-users] (no subject)

Brian Gregorcy bgregor at ...9225...
Fri May 30 07:52:07 EDT 2003


Are there alerts that are being thrown?  Snort does not have rules in its
local.rules file, so if you are local to the snort machine then there will
not be any alerts/logging to be done.  You can add this line to local.rules
files to see:

alert ip !$HOME_NET any -> $HOME_NET any (msg "LOCAL TEST";)

good luck

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Robin
Johnson
Sent: Friday, May 30, 2003 8:12 AM
To: Robin Johnson; 'Patrick S. Harper'
Cc: 'snort-users at lists.sourceforge.net'
Subject: RE: [Snort-users] (no subject)


this is what im getting from 127.0.0.1/acid_main.php
Added 0 alert(s) to the Alert cache

Queried on : Fri May 30, 2003 15:08:37
Database: snort at ...274...    (schema version: 0)
Time window: no alerts detected Sensors: 0
Unique Alerts: 0
Total Number of Alerts: 0
Source IP addresses: 0
Dest. IP addresses: 0
Unique IP links 0

Source Ports: 0
TCP ( 0)  UDP ( 0)
Dest. Ports: 0
TCP ( 0)  UDP ( 0)
 Traffic Profile by ProtocolTCP (0%)

UDP (0%)

ICMP (0%)



----------------------------------------------------------------------------
----

Portscan Traffic (0%)





Search
Graph Alert data (EXPERIMENTAL)

Snapshot Most recent Alerts: any protocol, TCP, UDP, ICMP
Today's: alerts unique, listing; IP src / dst
Last 24 Hours: alerts unique, listing; IP src / dst
Last 72 Hours: alerts unique, listing; IP src / dst
Most recent 15 Unique Alerts

Last Source Ports: any , TCP , UDP
Last Destination Ports: any , TCP , UDP
 Most frequent 5 Alerts

Most Frequent Source Ports: any , TCP , UDP
Most Frequent Destination Ports: any , TCP , UDP

Most frequent 15 addresses: source, destina

-----Original Message-----
From: Robin Johnson
Sent: 30 May 2003 15:11
To: 'Patrick S. Harper'; Robin Johnson
Cc: 'snort-users at lists.sourceforge.net'
Subject: RE: [Snort-users] (no subject)


Yep
In my snort.conf I have this entry
output database: log, mysql, dbname=snort user=snort host=localhost
password=abc

In the sql database I have the following
+-----------------+
| Tables_in_snort |
+-----------------+
| acid_ag         |
| acid_ag_alert   |
| acid_event      |
| acid_ip_cache   |
| event           |
| icmphdr         |
| iphdr           |
| sensor          |
| snort           |
| tcphdr          |
| udphdr          |
+-----------------+

When I run snort from the command line to /var/log/snort it works everytime!
but cant get it to log to the database
any ideas??




-----Original Message-----
From: Patrick S. Harper [mailto:lists at ...4250...]
Sent: 30 May 2003 06:02
To: Robin Johnson
Cc: 'snort-users at lists.sourceforge.net'
Subject: Re: [Snort-users] (no subject)


http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5.7
http://www.snort.org/docs/faq.html#6.15

Did you compile with any options for databases?

check your snort.conf file


On Thu, 2003-05-29 at 05:42, Robin Johnson wrote:
> Hi ,
> excuse my ignorance but perhaps someone can help me!
> new to the mailing list and first time in building snort2 with ACID on
> Mandrake 9.1. running latest version of mysql and php.
> My question is does any one know how to get snort to stop logging
> locally and actually put the data into the mysql database so when acid
> queries the database it gets back useful information
>
> cheers
> Rob
>


-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list