[Snort-users] Snort Mysql Acid Combo

M. Morgan mikemorgan at ...468...
Wed Feb 4 06:44:03 EST 2004


Sam,
 In addition to what Mark has stated I'll throw in my two cents as well.

 It sounds to me like your output plugin for snort isnt configured to point to the right table in the mysql database.

The output plugin should be something like this:
output database: alert, mysql, user=snort password=<password> dbname=snort host=localhost port=3306 sensor_name=[AUTO]

Be sure that the database has permissions assigned to user "snort" to allow access. Even if snort is sending data to the database, if the permissions arent there MySql will simply ignore it.

 btw: are you using that machine solely as an IDS box? or as a desktop too?

/michael





-----Original Message-----
From: Sam Osuala <sam.osuala at ...11137...>
Sent: Feb 4, 2004 8:28 AM
To: Mark Fagan <r00t at ...10564...>
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort Mysql Acid Combo

Dear Mark,

/var/log/snort  is not populated.

There is also a success message from /etc/init.d/snort restart in
/var/log/messages. The lat lines reads

Feb 4 14:18:02 sniffer snort: Snort initialization complete successfully.

The entry sensor_name=mysensor,......what will I use if I installed
everything on one Linux box.

Thanks

Sam


----- Original Message ----- 
From: "Mark Fagan" <r00t at ...10564...>
To: "Sam Osuala" <sam.osuala at ...11137...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Wednesday, February 04, 2004 12:47 PM
Subject: Re: [Snort-users] Snort Mysql Acid Combo


Is /var/log/snort populated with logs ?

If so you probable dont have the correct entry in your snort.conf:

It should be along the lines of:

output database: log, mysql, sensor_name=mysensor user=snortuser
password=snortpassword dbname=snort host=dbhost

Also in the event you have a DB authentication issue open two ssh sessions,
one
tailing the /var/log/messages file:

tail -f /var/log/messages

And one restarting snort:

/etc/init.d/snort restart

If you get a success message you probably dont have the correct output
database
statement.

Hope this helps.

Mark





Quoting Sam Osuala <sam.osuala at ...11137...>:

> I have installed a box with the following;
>
> 1] Redhat Linux 9.2
> 2] Snort 2.0.6
> 3] Mysql 4.0.17
> 4] Acid 0.9.6
> 5] php 4.3.4
> 6] zlib-1.1.4
> 7] libpcap-0.7.2
> 8] Apache 2.0.48 (not the one that came with the Linux )
> 9] jgraph 1.14
> 10] adodb 405
>
> These are all installed in the Linux box above. The issue is that the
mysql
> is not getting any logs in the database. If I start my snort with "snort
> -dvC" I get the alerts on the screen. What could be the problem. Do I have
to
> keep the components in different machines?
>
> Thanks
>
> Sam
>





-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users




-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list