[Snort-users] Snort and MySQL

Joshua Berry jberry at ...11848...
Wed Feb 9 07:58:23 EST 2005


There is the problem.  Take out the -A fast part.  When you use a
logging method from the command line (the -A options), it overrides the
logging in the configuration file.
 
-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of sEc nErD
Sent: Wednesday, February 09, 2005 9:52 AM
To: Harper, Patrick; Robert Spangler; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Snort and MySQL 
 
Thanks for your reply
i hav snort started as 
/usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c
/etc/snort/snort.conf -l /var/log/snort
 
Could you tell me how to restart it...coz am thinking /etc/init.d/snort
restart
                                  or /etc/init.d/snortd restart
 
wht did is this??
if i do this will it still have the original parameters like snort -A -b
-D and stuff
thanks

"Harper, Patrick" <Patrick.Harper at ...11593...> wrote:
	If you just made the change, yes, restart it. 
	
	Have you set up the user snort with the password of snort (or
whatever
	is in your snort.conf) in mysql yet? Have you set your
permissions and
	tables too?
	
	-----Original Message-----
	From: sEc nErD [mailto:umkcguy1978 at ...131...] 
	Sent: Tuesday, February 08, 2005 8:06 PM
	To: Robert Spangler; snort-users at lists.sourceforge.net
	Subject: Re: [Snort-users] Snort and MySQL 
	
	ok below are the details of whtz up with my snort...it
	is having all alerts in /var/log/snort/alert file
	
	but just that nothing in mysql database.one thing
	happened was mysql was not running ,then i started
	mysqld from init.d 
	
	since i started it aftre i was running snort..do i
	need to stop and restart snort??so that it connects to
	the database
	
	if yes what would be the command for that!!
	
	
	
	
	
	[root at ...274... snort]# ps -ef| grep snort
	snort 1791 1 0 08:42 ? 00:00:46
	/usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g
	snort -c /etc/snort/snort.conf -l /var/log/snort
	
	[root at ...274... snort]# ps -ef| grep mysql
	root 2029 1 0 08:42 ? 00:00:00
	/bin/sh /usr/bin/safe_mysqld
	--defaults-file=/etc/my.cnf
	mysql 2053 2029 0 08:42 ? 00:00:00
	/usr/libexec/mysqld --defaults-file=/etc/my.cnf
	--basedir=/usr --datadir=/var/lib/mysql --user=mysql
	--pid-file=/var/run/mysqld/mysqld.pid --skip-locking
	
	
	
	line in my snort.conf that i have uncommented:
	
	output database: log, mysql, user=snort password=snort
	dbname=snort host=localhost
	
	
	output from /var/log/messages
	Feb 8 14:49:48 localhost sshd(pam_unix)[3049]:
	session opened for user root by (uid=0)
	Feb 8 15:15:30 localhost mysqld: Starting MySQL: 
	succeeded
	Feb 8 16:32:24 localhost kernel: UDF-fs: No VRS found
	Feb 8 16:3 3:59 localhost sshd(pam_unix)[2894]:
	session closed for user root
	Feb 8 16:34:01 localhost sshd(pam_unix)[3049]:
	session closed for user root
	Feb 8 16:34:47 localhost sshd(pam_unix)[3290]:
	session opened for user root by (uid=0)
	Feb 8 16:58:15 localhost sshd(pam_unix)[3375]:
	session opened for user root by (uid=0)
	Feb 8 17:06:49 localhost sshd(pam_unix)[3290]:
	session closed for user root
	Feb 8 17:06:54 localhost sshd(pam_unix)[3375]:
	session closed for user root
	Feb 8 19:56:25 localhost sshd(pam_unix)[3552]:
	session opened for user root by (uid=0)
	
	
	
	
	
	
	
	--- Robert Spangler wrote:
	
	> On Sun August 29 2004 13:35, Robert Spangler wrote:
	> 
	> > I seem to be having a problem setting up snort to
	> use MySQL database.
	> 
	> I had an error in my snort.conf file
	> 
	> > snort.conf has the following entry:
	> >
	> > 
	> ===================================================
	> > output database: log, MySQL, user=snort,
	> password=******** dbname=snort
	> > host=localhost
	> > 
	> ===================================================
	> 
	> The above was placed in the wrong area of the
	> config. When this was corrected 
	> snort seemed to run without any problems.
	> 
	> 
	> NOW
	> 
	> 
	> I don't think things are running correctly. I run a
	> scan against my machine 
	> using CIS and it does it's reporting but I never see
	> anything in ACID or 
	> OpenAanval.
	> 
	> I used the following quick setup guide written by
	> Patrick Harper at 
	> http://www.internetsecurityguru.com/
	> 
	> 
	> -- 
	> 
	> Regards
	> Robert
	> 
	> Smile..... It increases your face value.
	> 
	> 
	> 
	>
	-------------------------------------------------------
	> This SF.Net email is sponsored by BEA Weblogic
	> Workshop
	> FREE Java Enterprise J2EE developer tools!
	> Get your free copy of BEA WebLogic Workshop 8.1
	> today.
	>
	http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
	> _______________________________________________
	> Snort-users mailing list
	> Snort-users at lists.sourceforge.net
	> Go to this URL to change user options or
	> unsubscribe:
	>
	https://lists.sourceforge.net/lists/listinfo/snort-users
	> Snort-users list archive:
	>
	http://www.geocrawler.com/redir-sf.php3?list=snort-users
	> 
	
	
	__________________________________________________
	Do You Yahoo!?
	Tired of spam? Yahoo! Mail has the best spam protection around 
	http://mail.yahoo.com 
	
	
	-------------------------------------------------------
	SF email is sponsored by - Th e IT Product Guide
	Read honest & candid reviews on hundreds of IT Products from
real users.
	Discover which products truly live up to the hype. Start reading
now.
	http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
	_______________________________________________
	Snort-users mailing list
	Snort-users at lists.sourceforge.net
	Go to this URL to change user options or unsubscribe:
	https://lists.sourceforge.net/lists/listinfo/snort-users
	Snort-users list archive:
	http://www.geocrawler.com/redir-sf.php3?list=snort-users
	
	
	
	
	
	
	Disclaimer:
	This electronic message, including any attachments, is
confidential and intended solely for use of the intended recipient(s).
This message may contain information that is privileged or otherwise
protected from disclosure by applicable law. Any unauthorized
disclosure, dissemination, use or reproduction is strictly prohibited.
If you have received this message in error, please delete it an d notify
the sender immediately. 
	
	
	
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050209/3c8e8e21/attachment.html>


More information about the Snort-users mailing list