[Snort-users] mysql not logging alerts

James Riden j.riden at ...11179...
Tue Feb 8 17:54:47 EST 2005


sEc nErD <umkcguy1978 at ...131...> writes:

> hi all
> I am running snort on fedora ,everything is working
> fine but somehow i can never make it to log to mysql
> database,
> i checked with the permissions for the snort user in
> the database they are fine..i also checked mysqld is
> running..then i checked my snort.conf to see if i hav
> the right info...
> i dunno how to troubleshoot this..wht other problems
> could be there...or whre i shld see some logs to know
> where am going wrong
> thanks

Your /var/log/messages should look a bit like this, except with mysql
instead of postgres. (Debian might put it in /var/log/daemon.log or
somewhere else.)

Feb  9 03:58:41 it023072 snort-pgsql: ,-----------[Flow Config]----------------------
Feb  9 03:58:41 it023072 snort-pgsql: | Stats Interval:  0
Feb  9 03:58:41 it023072 snort-pgsql: | Hash Method:     2
Feb  9 03:58:41 it023072 snort-pgsql: | Memcap:          10485760
Feb  9 03:58:41 it023072 snort-pgsql: | Rows  :          4099
Feb  9 03:58:41 it023072 snort-pgsql: | Overhead Bytes:  16400(%0.16)
Feb  9 03:58:41 it023072 snort-pgsql: `----------------------------------------------
Feb  9 03:58:41 it023072 snort-pgsql: rpc_decode arguments:
Feb  9 03:58:41 it023072 snort-pgsql:     Ports to decode RPC on: 111 32771
Feb  9 03:58:41 it023072 snort-pgsql:     alert_fragments: INACTIVE
Feb  9 03:58:41 it023072 snort-pgsql:     alert_large_fragments: ACTIVE
Feb  9 03:58:41 it023072 snort-pgsql:     alert_incomplete: ACTIVE
Feb  9 03:58:41 it023072 snort-pgsql:     alert_multiple_requests: ACTIVE
Feb  9 03:58:41 it023072 snort-pgsql: telnet_decode arguments:
Feb  9 03:58:41 it023072 snort-pgsql:     Ports to decode telnet on: 21 23 25 119
Feb  9 03:58:41 it023072 postgres[16830]: [1-1] LOG:  connection received: host=aa.bb.cc.dd port=37378
Feb  9 03:58:41 it023072 postgres[16830]: [2-1] LOG:  connection authorized: user=XXXXX database=YYYY
Feb  9 03:58:42 it023072 snort-pgsql: Warning: flowbits key 'ssh.brute.attempt' is set but not ever checked.
Feb  9 03:58:42 it023072 snort-pgsql: Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Feb  9 03:58:42 it023072 snort-pgsql: Snort initialization completed successfully


Do you also have a line like this in your snort.conf ?

output database: log, postgresql, user=XXXXX dbname=YYYYY host=ZZZZZ sensor_name=AAAAA

cheers,
 Jamie
-- 
James Riden / j.riden at ...11179... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/






More information about the Snort-users mailing list