[Snort-users] No Activity Occurring on ACID

Kaplan, Andrew H. AHKAPLAN at ...10063...
Fri Jul 23 12:02:09 EDT 2004


Dropping the -A option did it. Information is appearing in ACID. Thanks for the
assist.

-----Original Message-----
From: Paul Schmehl [mailto:pauls at ...6838...]
Sent: Friday, July 23, 2004 2:13 PM
To: Kaplan, Andrew H.
Cc: Snort User Group (E-mail)
Subject: RE: [Snort-users] No Activity Occurring on ACID


--On Friday, July 23, 2004 11:42:05 AM -0400 "Kaplan, Andrew H." 
<AHKAPLAN at ...10063...> wrote:

> I restarted Snort and checked the messages file for the appropriate
> entries. It looks like everything associated with the
> program started up successfully with the exception of stream for having a
> problem with an argument that I gave it. Could
> you please advise on that? I'm including an excerpt of the messages file
> for your perusal.
>
According to the messages file, snort is starting successfully.  I also 
looked at the snort.conf stuff you sent, and that all looked OK.  I'm not 
sure what the problem might be.

> I did log successfully into Snort using the mysql -u "user" -p so there
> should not be a problem with the snort user having
> access to the database. I verified the username and password that appear
> in the snort.conf file match those that I used from
> the command line.
>
> The command syntax that I used with the -T option was snort -T -A -i eth0
> -c /etc/snort/snort.conf -v. It showed all plugin's
> loading successfully except for the min_ttl option for the stream4
> plugin. I'll check that out, but I would be surprised if
> that alone could be the root cause of the problem.
>
No, it wouldn't be.  That's just a WARNING.  If it said FATAL, snort would 
not run.

Do not use the "-A" switch.  That overrides your conf file, so that would 
prevent snort from logging to the database and force snort to only log to 
/var/log/snort/alert (if that's the default path for you).

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/




More information about the Snort-users mailing list