[Snort-users] database not getting updated

M.D. DeWar mark at ...10574...
Mon Nov 17 08:55:06 EST 2003


Hello
I am a newbie so please be gently on my first time :-)
I d/l and installed snort.
Its seems to be up and running.
I have a whole directory of ip addresses listed and a file named alert
I d/l and installed ACID.
IT seems to be working. I can got to domain.com/acid and see info.
However the database stopped being updated 3 days ago.
The alert file seems to be updated tho (??)
I am using mysql.
using phpmyadmin I see all the tables and there were 10625 records in the
events and its 2.4 megs big.

I d/l snortsnarf and it seems to be working and seems to be up to date on
its alert info.

I can't figure out why my database stopped gettting data.

I have a file that runs snort as a daemon
/usr/local/snort/bin/snort -A fast -c /usr/local/snort/etc/snort.conf -D -g
snort -u snort -l /temp/snort-alerts

tailing /var/log/messages I get this
Nov 17 11:43:34 spiderman snort: Writing PID "10692" to file
"/var/run//snort_dc
0.pid"
Nov 17 11:43:34 spiderman snort: http_decode arguments:
Nov 17 11:43:34 spiderman snort:     Unicode decoding
Nov 17 11:43:34 spiderman snort:     IIS alternate Unicode decoding
Nov 17 11:43:34 spiderman snort:     IIS double encoding vuln
Nov 17 11:43:34 spiderman snort:     Flip backslash to slash
Nov 17 11:43:34 spiderman snort:     Include additional whitespace
separators
Nov 17 11:43:34 spiderman snort:     Ports to decode http on: 80
Nov 17 11:43:34 spiderman snort: rpc_decode arguments:
Nov 17 11:43:34 spiderman snort:     Ports to decode RPC on: 111 32771
Nov 17 11:43:34 spiderman snort:     alert_fragments: INACTIVE
Nov 17 11:43:34 spiderman snort:     alert_large_fragments: ACTIVE
Nov 17 11:43:34 spiderman snort:     alert_incomplete: ACTIVE
Nov 17 11:43:34 spiderman snort:     alert_multiple_requests: ACTIVE
Nov 17 11:43:34 spiderman snort: telnet_decode arguments:
Nov 17 11:43:34 spiderman snort:     Ports to decode telnet on: 21 23 25 119
Nov 17 11:43:34 spiderman snort: command line overrides rules file alert
plugin!

Nov 17 11:43:44 spiderman snort: Snort initialization completed successfully

So I assume its good to go.

I have a snort directory under /var/db/mysql/snort and bunch of files
(just a partial listing of them)

--   1 mysql  mysql     8616 Nov 11 17:08 sig_reference.frm
-rw-rw----   1 mysql  mysql     1160 Nov 13 11:26 signature.MYD
-rw-rw----   1 mysql  mysql     4096 Nov 13 15:05 signature.MYI
-rw-rw----   1 mysql  mysql     8730 Nov 11 17:08 signature.frm
-rw-rw----   1 mysql  mysql    16740 Nov 13 14:57 tcphdr.MYD
-rw-rw----   1 mysql  mysql    24576 Nov 13 15:05 tcphdr.MYI
-rw-rw----   1 mysql  mysql     8888 Nov 11 17:08 tcphdr.frm
-rw-rw----   1 mysql  mysql      595 Nov 13 13:07 udphdr.MYD
-rw-rw----   1 mysql  mysql     4096 Nov 13 15:05 udphdr.MYI
-rw-rw----   1 mysql  mysql     8704 Nov 11 17:08 udphdr.frm

I have the rules directory at /usr/local/snort/rules
my snort.conf list rules path ./rules

I have the database choose in the snort.conf
output database: log, mysql, user=xxxx password=xxx dbname=xxxx
host=localhost

I tried different options with the snort command line but get errros about
the directory. I don't wish to log to /var/log/snort due to storage issues.
/temp/snort-alerts is good. alot of room on /temp.

I configured snort with
./configure --with-mysql --with-openssl

I did have snort logging to /var/log/snort but ran out of rooom. So I had to
move it.
I can only assume thats why but have looked in all the files to see if I
missed that change.

Appreciate anyhelp

Thanks
Mark






More information about the Snort-users mailing list