[Snort-users] database not getting updated

Josh Berry josh.berry at ...10221...
Mon Nov 17 11:15:08 EST 2003


Try taking out the -A fast.  You do not need to use these when configuring
for DB logging.  In fact, using it will disable the DB logging
configuration within your snort.conf file.

> Hello
> I am a newbie so please be gently on my first time :-)
> I d/l and installed snort.
> Its seems to be up and running.
> I have a whole directory of ip addresses listed and a file named alert
> I d/l and installed ACID.
> IT seems to be working. I can got to domain.com/acid and see info.
> However the database stopped being updated 3 days ago.
> The alert file seems to be updated tho (??)
> I am using mysql.
> using phpmyadmin I see all the tables and there were 10625 records in the
> events and its 2.4 megs big.
>
> I d/l snortsnarf and it seems to be working and seems to be up to date on
> its alert info.
>
> I can't figure out why my database stopped gettting data.
>
> I have a file that runs snort as a daemon
> /usr/local/snort/bin/snort -A fast -c /usr/local/snort/etc/snort.conf -D
> -g
> snort -u snort -l /temp/snort-alerts
>
> tailing /var/log/messages I get this
> Nov 17 11:43:34 spiderman snort: Writing PID "10692" to file
> "/var/run//snort_dc
> 0.pid"
> Nov 17 11:43:34 spiderman snort: http_decode arguments:
> Nov 17 11:43:34 spiderman snort:     Unicode decoding
> Nov 17 11:43:34 spiderman snort:     IIS alternate Unicode decoding
> Nov 17 11:43:34 spiderman snort:     IIS double encoding vuln
> Nov 17 11:43:34 spiderman snort:     Flip backslash to slash
> Nov 17 11:43:34 spiderman snort:     Include additional whitespace
> separators
> Nov 17 11:43:34 spiderman snort:     Ports to decode http on: 80
> Nov 17 11:43:34 spiderman snort: rpc_decode arguments:
> Nov 17 11:43:34 spiderman snort:     Ports to decode RPC on: 111 32771
> Nov 17 11:43:34 spiderman snort:     alert_fragments: INACTIVE
> Nov 17 11:43:34 spiderman snort:     alert_large_fragments: ACTIVE
> Nov 17 11:43:34 spiderman snort:     alert_incomplete: ACTIVE
> Nov 17 11:43:34 spiderman snort:     alert_multiple_requests: ACTIVE
> Nov 17 11:43:34 spiderman snort: telnet_decode arguments:
> Nov 17 11:43:34 spiderman snort:     Ports to decode telnet on: 21 23 25
> 119
> Nov 17 11:43:34 spiderman snort: command line overrides rules file alert
> plugin!
>
> Nov 17 11:43:44 spiderman snort: Snort initialization completed
> successfully
>
> So I assume its good to go.
>
> I have a snort directory under /var/db/mysql/snort and bunch of files
> (just a partial listing of them)
>
> --   1 mysql  mysql     8616 Nov 11 17:08 sig_reference.frm
> -rw-rw----   1 mysql  mysql     1160 Nov 13 11:26 signature.MYD
> -rw-rw----   1 mysql  mysql     4096 Nov 13 15:05 signature.MYI
> -rw-rw----   1 mysql  mysql     8730 Nov 11 17:08 signature.frm
> -rw-rw----   1 mysql  mysql    16740 Nov 13 14:57 tcphdr.MYD
> -rw-rw----   1 mysql  mysql    24576 Nov 13 15:05 tcphdr.MYI
> -rw-rw----   1 mysql  mysql     8888 Nov 11 17:08 tcphdr.frm
> -rw-rw----   1 mysql  mysql      595 Nov 13 13:07 udphdr.MYD
> -rw-rw----   1 mysql  mysql     4096 Nov 13 15:05 udphdr.MYI
> -rw-rw----   1 mysql  mysql     8704 Nov 11 17:08 udphdr.frm
>
> I have the rules directory at /usr/local/snort/rules
> my snort.conf list rules path ./rules
>
> I have the database choose in the snort.conf
> output database: log, mysql, user=xxxx password=xxx dbname=xxxx
> host=localhost
>
> I tried different options with the snort command line but get errros about
> the directory. I don't wish to log to /var/log/snort due to storage
> issues.
> /temp/snort-alerts is good. alot of room on /temp.
>
> I configured snort with
> ./configure --with-mysql --with-openssl
>
> I did have snort logging to /var/log/snort but ran out of rooom. So I had
> to
> move it.
> I can only assume thats why but have looked in all the files to see if I
> missed that change.
>
> Appreciate anyhelp
>
> Thanks
> Mark
>
>
>
>
> -------------------------------------------------------
> This SF. Net email is sponsored by: GoToMyPC
> GoToMyPC is the fast, easy and secure way to access your computer from
> any Web browser or wireless device. Click here to Try it Free!
> https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>


Thanks,
Josh Berry, CTO
LinkNet-Solutions
469-831-8543
josh.berry at ...10268...





More information about the Snort-users mailing list