[Snort-users] snort (with mysql) write only in message.log

Stefan Sabolowitsch Stefan.Sabolowitsch at ...12169...
Thu Jul 22 10:30:37 EDT 2004


Hi list / ng

I have a server WBEL (RHEL) here with snort-mysql.
Snort starts without problems. Yet nothing is written in mysql.
snort write only in message.log

What do I make wrong?
Does anyone have an idea?

To thanks for every aid

Stefan


Infos:

message.log (alarms)
Jul 22 18:27:03 hydra-1 snort: [1:1411:5] SNMP public access udp
[Classification: Attempted Information Leak] [Priority: 2]: {UDP}
192.168.1.51:1609 -> 192.168.1.249:161
Jul 22 18:27:03 hydra-1 snort: [1:1417:4] SNMP request udp [Classification:
Attempted Information Leak] [Priority: 2]: {UDP} 192.168.1.51:1609 ->
192.168.1.249:161
Jul 22 18:27:03 hydra-1 snort: [1:1411:5] SNMP public access udp
[Classification: Attempted Information Leak] [Priority: 2]: {UDP}
192.168.1.51:1610 -> 192.168.1.249:161
Jul 22 18:27:03 hydra-1 snort: [1:1417:4] SNMP request udp [Classification:
Attempted Information Leak] [Priority: 2]: {UDP} 192.168.1.51:1610 ->
192.168.1.249:161


Snort.cfg
output database: log, mysql, user=snorty password=snorty dbname=snorty
host=localhost

message.log (start snort)
Jul 22 18:22:59 hydra-1 kernel: eth0: Setting promiscuous mode.
Jul 22 18:22:59 hydra-1 kernel: device eth0 entered promiscuous mode
Jul 22 18:22:59 hydra-1 snort: Initializing daemon mode 
Jul 22 18:22:59 hydra-1 snort: PID path stat checked out ok, PID path set to
/var/run/ 
Jul 22 18:22:59 hydra-1 snort: Writing PID "8105" to file
"/var/run//snort_eth0.pid" 
Jul 22 18:22:59 hydra-1 snort: ,-----------[Flow
Config]---------------------- 
Jul 22 18:22:59 hydra-1 snort: | Stats Interval:  0 
Jul 22 18:22:59 hydra-1 snort: | Hash Method:     2 
Jul 22 18:22:59 hydra-1 snort: | Memcap:          10485760 
Jul 22 18:22:59 hydra-1 snort: | Rows  :          4099 
Jul 22 18:22:59 hydra-1 snort: | Overhead Bytes:  16400(%0.16) 
Jul 22 18:22:59 hydra-1 snort:
`---------------------------------------------- 
Jul 22 18:22:59 hydra-1 snort: HttpInspect Config: 
Jul 22 18:22:59 hydra-1 snort:     GLOBAL CONFIG 
Jul 22 18:22:59 hydra-1 snortd: Starten von snort succeeded
Jul 22 18:22:59 hydra-1 snort:       Max Pipeline Requests:    0 
Jul 22 18:22:59 hydra-1 snort:       Inspection Type:          STATELESS 
Jul 22 18:22:59 hydra-1 snort:       Detect Proxy Usage:       NO 
Jul 22 18:22:59 hydra-1 snort:       IIS Unicode Map Filename:
/etc/snort/unicode.map 
Jul 22 18:22:59 hydra-1 snort:       IIS Unicode Map Codepage: 1252 
Jul 22 18:22:59 hydra-1 snort:     DEFAULT SERVER CONFIG: 
Jul 22 18:22:59 hydra-1 snort:       Ports: 
Jul 22 18:22:59 hydra-1 snort: 80 
Jul 22 18:22:59 hydra-1 snort: 8080 
Jul 22 18:22:59 hydra-1 snort: 8180 
Jul 22 18:22:59 hydra-1 snort:  
Jul 22 18:22:59 hydra-1 snort:       Flow Depth: 300 
Jul 22 18:22:59 hydra-1 snort:       Max Chunk Length: 500000 
Jul 22 18:22:59 hydra-1 snort:       Inspect Pipeline Requests: YES 
Jul 22 18:22:59 hydra-1 snort:       URI Discovery Strict Mode: NO 
Jul 22 18:22:59 hydra-1 snort:       Allow Proxy Usage: NO 
Jul 22 18:22:59 hydra-1 snort:       Disable Alerting: NO 
Jul 22 18:22:59 hydra-1 snort:       Oversize Dir Length: 500 
Jul 22 18:22:59 hydra-1 snort:       Only inspect URI: NO 
Jul 22 18:22:59 hydra-1 snort:       Ascii: YES alert: NO 
Jul 22 18:22:59 hydra-1 snort:       Double Decoding: YES alert: YES 
Jul 22 18:22:59 hydra-1 snort:       %U Encoding: YES alert: YES 
Jul 22 18:22:59 hydra-1 snort:       Bare Byte: YES alert: YES 
Jul 22 18:22:59 hydra-1 snort:       Base36: OFF 
Jul 22 18:22:59 hydra-1 snort:       UTF 8: OFF 
Jul 22 18:22:59 hydra-1 snort:       IIS Unicode: YES alert: YES 
Jul 22 18:22:59 hydra-1 snort:       Multiple Slash: YES alert: NO 
Jul 22 18:22:59 hydra-1 snort:       IIS Backslash: YES alert: NO 
Jul 22 18:22:59 hydra-1 snort:       Directory: YES alert: NO 
Jul 22 18:22:59 hydra-1 snort:       Apache WhiteSpace: YES alert: YES 
Jul 22 18:22:59 hydra-1 snort:       IIS Delimiter: YES alert: YES 
Jul 22 18:22:59 hydra-1 snort:       IIS Unicode Map: GLOBAL IIS UNICODE MAP
CONFIG 
Jul 22 18:22:59 hydra-1 snort:       Non-RFC Compliant Characters: 
Jul 22 18:22:59 hydra-1 snort: NONE
Jul 22 18:22:59 hydra-1 snort:  
Jul 22 18:22:59 hydra-1 snort: rpc_decode arguments: 
Jul 22 18:22:59 hydra-1 snort:     Ports to decode RPC on: 111 32771  
Jul 22 18:22:59 hydra-1 snort:     alert_fragments: INACTIVE 
Jul 22 18:22:59 hydra-1 snort:     alert_large_fragments: ACTIVE 
Jul 22 18:22:59 hydra-1 snort:     alert_incomplete: ACTIVE 
Jul 22 18:22:59 hydra-1 snort:     alert_multiple_requests: ACTIVE 
Jul 22 18:22:59 hydra-1 snort: telnet_decode arguments: 
Jul 22 18:22:59 hydra-1 snort:     Ports to decode telnet on: 21 23 25 119  
Jul 22 18:22:59 hydra-1 snort: command line overrides rules file alert
plugin! 
Jul 22 18:23:00 hydra-1 snort: Snort initialization completed successfully  





More information about the Snort-users mailing list