[Snort-users] What Might I have Missed? RH72, Snort, MySql, PHP, Adodb, Acid

Bruce D. meyer bdmeyer at ...11586...
Wed Apr 7 04:07:03 EDT 2004


Following various bits of info from the Snort 2.0 Book by Jay Beales, This
web site:
http://www.sfhn.net/whites/snort_acid-rpm.html

This PDF file:
http://www.snort.org/docs/snort-rh7-mysql-ACID-1-5.pdf

I seem to have almost everything working correctly. I can go to Shields Up
at grc.com, put then machine on my DMZ, tell Shields up to do a full port
scan, and TOP shows an occasional jump of Snort-Mysql, and the log directory
shows the attempts.
( am using "alert, mysql' in the conf file (as opposed to log, mysql)

So, snort is seeing the port scans and I see in the alert file, that it is
logging them. Oddly, Acid shows zero intrusions or records of any kind. GD,
and everything else SEEMS to be functioning, but it seems like Acid just
isn't reading the database, or else the MySql isn't getting the data. I am
not a big MySql, Acid, Adodb, or PHP expert, at all, I just followed a lot
of directions and beat my head on the keyboard for awhile until things all
started to work.

I am hoping someone can point me in a general direction for tonight's
troubleshooting session.

My thoughts are is that either:
a.) The data isn't getting written to MySql (so I need to view all the
tables in 'snort' database somehow.
or
b.) Acid is not reading the MySql 'snort' database, but isn't writing errors
to the /var/log/messages, or /var/log/security  or any other log files in
that directory that I am grepping. (It could just be I am not grepping for
the correct string, I am not sure what I am looking for except MySql...

Just a hint would be very helpful. This is so much fun, I almost want to
take a vacation day to keep working on this.... (That's like a bad thing,
right?)

Bruce D. Meyer





More information about the Snort-users mailing list