[Snort-users] RE: Cannot get Acid to report any activity

Guy Bruneau seeker at ...5932...
Thu Aug 26 17:04:05 EDT 2004


Glenn,

I am sorry I did not get back to you earlier but I am presently
unsubscribed on the Snort mailing list but I saw your message and I
think you forgot to uncomment the command that sends the data to ACID.

Edit the following file:

/usr/local/snort/etc/snort.external.conf
/usr/local/snort/etc/snort.internal.conf

find the following line in the conf file

output database: alert, mysql, .... (the setup is on page 15 of the
install.pdf guide)  and remove the # sign at the beginning of the line.

Save the file and then to test that everything works and it is
connecting to the database, do the following:

cd /usr/local/snort
./check_snort_eth1 and ./check_snort_eth0

This will confirm that Snort is connecting to MySQL correctly. Then,
restart Snort:

/etc/rc.d/rc.snort stop
/etc/rc.d/rc.snort start

I would suggest you review page 14 and 15 of the install.pdf file to
ensure all of the steps have been followed.

Guy

---------------------

I am feeling a bit dumb lately. I cannot see any activity through ACID.

I have configured Snort using Guy Bruneau's Shadow/Snort ISO. All seems
to be well, the sensor is saving alerts in the log files located at
/usr/local/snort/log/*. I can read them via less.

I would like to check to see if the logs are making it to mysql. How can

I query the database to verify that the logs are moving to mysql?

If I find the logs are getting to mysql, how do I check my connection
between acid and mysql?

Any ideas would be helpful.

I normally do NT admin, so I only have a poor mans knowledge of Linux.
So, what I am saying is... Don't be to vague with your answers... :-)

~-~-Glenn-~-~





More information about the Snort-users mailing list