[Snort-users] Re: [Snort-users] Can snort send alerts to the mysql database without writing an output file?

Thu Mar 9 05:43:12 EST 2006

Hi Nerijus,

> > '-K none' does only affect logging, not the alerts...
>  In my snort.conf I have only one output plugin configured. And that
> is database. On a command line I have: 'snort -K none -o -e -c
> <my_snort.conf_with_only_db_output_plugin> -X -d -y -D -i
> <interface_to_sniff>'. This combination works like charm. I have an
> empty /var/log/snort dir and alerts go right into the database. Isn't
> this what the OP wanted? (Can't figure it out now, cause the whole
> thread is messed all around my gmail.) Snort version is 2.4.3 (if that
> matters) running on linux.

ah, I guess I see the problem... 

If you use the database output for "log" only, then no alert output
plugin is activated. In this case the alerts are written to /var/log/snort.
(Stupid enough, most alerts are written to "alert" and "log"...)

So probably your database output plugin is activated with the "alert"
facility? So '-N' or '-K none' deactivates logging and the activated 
database alert plugin avoids the writing of the alert file...

Change the database plugin to log and you will see the alert file again
but then you can not use the database output plugin due to '-K none' ...

