[Snort-users] Interesting snort + mysql issue (kind of ODD)

James Lay jlay at ...12717...
Tue Apr 26 09:08:19 EDT 2005


Hey All!

So I originally had my BASE and snort mysql db on the same box...all went
well.  I decided to move the mysql install and db to a Mac OSX machine.  I
"thought" all went well.  Here's the issue I'm having:

My rc.snort script (running on slackware 10.1) has:

/usr/local/bin/snort -i eth1 -D -o -c /etc/snort/snort.conf "ip and not udp
port 4500"

as the startup line.  If this is run manually things go fine...snort starts
and logs to mysql.  Here is an update script that I use to grab bleeding
rules:

#!/bin/bash
cd /home/jlay/
wget http://www.bleedingsnort.com/bleeding.rules.tar.gz
tar zxvf bleeding.rules.tar.gz
cp -v rules/bleeding*.rules /etc/snort/rules/
cat /etc/snort/sid-msg.map.orig /home/jlay/rules/bleeding-sid-msg.map
/etc/snort/sid-msg.map.gateway | sort -u > /etc/snort/sid-msg.map
/etc/rc.d/rc.snort stop
/etc/rc.d/rc.snort start
rm /home/jlay/bleeding.rules.tar.gz

This daily job is run as root at 4:20 AM.  When this is run, snort starts
and connects to the mysql db, but it doesn't log anything.  CAN I GET A WHAT
THE HECK OVER.  Does anyone have a clue on why this would be like this?  The
user the db uses is snort with all permissions.  ODD.  Thanks all!

James Lay
Network Manager/Security Officer
AmeriBen Solutions/IEC Group
Deo Gloria!!!






More information about the Snort-users mailing list