[Snort-users] No Activity Occurring on ACID

Kaplan, Andrew H. AHKAPLAN at ...10063...
Fri Jul 23 08:45:16 EDT 2004


I restarted Snort and checked the messages file for the appropriate entries. It
looks like everything associated with the
program started up successfully with the exception of stream for having a
problem with an argument that I gave it. Could
you please advise on that? I'm including an excerpt of the messages file for
your perusal. 

I did log successfully into Snort using the mysql -u "user" -p so there should
not be a problem with the snort user having
access to the database. I verified the username and password that appear in the
snort.conf file match those that I used from
the command line.

The command syntax that I used with the -T option was snort -T -A -i eth0 -c
/etc/snort/snort.conf -v. It showed all plugin's
loading successfully except for the min_ttl option for the stream4 plugin. I'll
check that out, but I would be surprised if
that alone could be the root cause of the problem.







-----Original Message-----
From: Paul Schmehl [mailto:pauls at ...6838...]
Sent: Friday, July 23, 2004 10:37 AM
To: Kaplan, Andrew H.; 'Harper, Patrick'
Cc: Snort User Group (E-mail)
Subject: RE: [Snort-users] No Activity Occurring on ACID


--On Friday, July 23, 2004 07:26:54 AM -0400 "Kaplan, Andrew H." 
<AHKAPLAN at ...10063...> wrote:

> I have MySQL installed on the system, and have configured the snort.conf
> file with the following line:
>
> output database: log, mysql, user=snort password=XXXXXX dbname=snort
> host=127.0.0.1 port=3306 sensor_name=rosnort
>
> Snort is started at boot time via the /etc/init.d/snort script.
> Additionally, I have started snort manually with
> the following command syntax:
>
> /usr/local/bin/snort -A full -i eth0 -c /etc/snort/snort.conf -v
>
What do you see in /var/log/messages when snort is started up?

> I did a check of the snort database to see if anything is being logged
> there. When I run the select count (*) from event;
> command I get 0 which would appear to indicate the data is not being
> posted into the database. If that is the case, does
> that mean there is a permissions issue at work here, or something else?
>
That's correct.  Nothing is being logged to the db.

> FYI: To access the mysql database I ran the following command:
> /usr/local/mysql/bin/mysql -p and provided the password.
>
Yes, but did you login to the db using the same *user* and pass that snort 
is trying to us?  mysql -u user -p

Note you can also run "snort -T" to run snort and test everything.  (It 
will use the conf file if it's in the default location.  Yours appears to 
be.)  This will print to stdout, so you can pipe it through less and read 
the output.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: snortmessages.txt
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040723/a117fb76/attachment.txt>


More information about the Snort-users mailing list