[Snort-users] Trouble to log trace into database

Jeff Dell jdell at ...1095...
Sat Nov 20 09:35:10 EST 2004


This is a common problem. It is most likely having a problem with
checksums.. Try adding the option '-k none' to the line that you start snort
with. i.e.:
C:\Snort\bin>snort -r c:\trace.eth -c c:\Snort\etc\snort-mod.conf \
-l c:\Snort\log -k none

Cheers,
Jeff

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net 
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Juan
> Sent: Friday, November 05, 2004 7:25 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Trouble to log trace into database
> 
> Hi,
> I have a trace file with some packets I am trying to analyze. 
> I am trying to
> load the trace into a mysql database but nothing gets logged. 
> My rules file looks like this:
> # RULES
> log tcp any any -> any any
> log udp any any -> any any
> 
> And if I just run snort without loading from file, this rules 
> logs every tcp
> and udp header just fine into the database. Now when I run:
> C:\Snort\bin>snort -r c:\trace.eth -c c:\Snort\etc\snort-mod.conf \
> 	-l c:\Snort\log
> 
> I do not get any error but nothing gets logged to the 
> database. See below
> Can anyone give me a hint of what am I doing wrong?
> 
> Thanks,
> J
> 
> 
> ======================================================================
> database: compiled support for ( mysql odbc )
> database: configured to use mysql
> database:          user = snort
> database: password is set
> database: database name = snort
> database:          host = localhost
> database:   sensor name = TRUSS:[reading from a file]
> database:     sensor id = 2
> database: schema version = 106
> database: using the "log" facility
> 2 Snort rules read...
> 2 Option Chains linked into 2 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> +-----------------------[thresholding-config]-----------------
> --------------
> ---
> | memory-cap : 1048576 bytes
> +-----------------------[thresholding-global]-----------------
> --------------
> ---
> | none
> +-----------------------[thresholding-local]------------------
> --------------
> ---
> | none
> +-----------------------[suppression]-------------------------
> --------------
> ---
> | none
> --------------------------------------------------------------
> --------------
> ---
> Rule application order: ->activation->dynamic->alert->pass->log
>         --== Initialization Complete ==--
> -*> Snort! <*-
> Version 2.2.0-ODBC-MySQL-FlexRESP-WIN32 (Build 30)
> By Martin Roesch (roesch at ...1935..., www.snort.org)
> 1.7-WIN32 Port By Michael Davis (mike at ...92...,
> www.datanerds.net/~mike)
> 1.8 - 2.x WIN32 Port By Chris Reid 
> (chris.reid at ...3029...)
> Run time for packet processing was 0.501000 seconds
> ==============================================================
> ==============
> Snort processed 84158 packets.
> ==============================================================
> =============
> Breakdown by protocol:
>     TCP: 53451     (17.356%)
>     UDP: 28239     (37.124%)
>    ICMP: 13803      (1.561%)
>     ARP: 3240       (0.231%)
>   EAPOL: 0          (0.000%)
>    IPv6: 0          (0.000%)
>     IPX: 0          (0.000%)
>   OTHER: 8916       (1.008%)
> DISCARD: 377709     (42.720%)
> ==============================================================
> ==============
> ===
> Action Stats:
> ALERTS: 0
> LOGGED: 0
> PASSED: 0
> ==============================================================
> ==============
> ===
> Final Flow Statistics
> ,----[ FLOWCACHE STATS ]----------
> Memcap: 10485760 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1)
> Overhead
> blocks: 1 Could Hold: (0)
> IPV4 count: 0 frees: 0 low_time: 0, high_time: 0, diff: 0h:00:00s
>     finds: 0 reversed: 0(%0.000000)
>     find_sucess: 0 find_fail: 0 percent_success: (%0.000000) 
> new_flows: 0
> database: Closing connection to database ""
> Snort exiting
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: InterSystems CACHE
> FREE OODBMS DOWNLOAD - A multidimensional database that combines
> robust object and relational technologies, making it a perfect match
> for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 






More information about the Snort-users mailing list