[Snort-users] Re: [Snort-users] Can snort send alerts to the mysql database without writing an output file?

Dirk Geschke Dirk_Geschke at ...1344...
Thu Mar 9 05:43:12 EST 2006


Hi Nerijus,

> > '-K none' does only affect logging, not the alerts...
> 
>  In my snort.conf I have only one output plugin configured. And that
> is database. On a command line I have: 'snort -K none -o -e -c
> <my_snort.conf_with_only_db_output_plugin> -X -d -y -D -i
> <interface_to_sniff>'. This combination works like charm. I have an
> empty /var/log/snort dir and alerts go right into the database. Isn't
> this what the OP wanted? (Can't figure it out now, cause the whole
> thread is messed all around my gmail.) Snort version is 2.4.3 (if that
> matters) running on linux.

ah, I guess I see the problem... 

If you use the database output for "log" only, then no alert output
plugin is activated. In this case the alerts are written to /var/log/snort.
(Stupid enough, most alerts are written to "alert" and "log"...)

So probably your database output plugin is activated with the "alert"
facility? So '-N' or '-K none' deactivates logging and the activated 
database alert plugin avoids the writing of the alert file...

Change the database plugin to log and you will see the alert file again
but then you can not use the database output plugin due to '-K none' ...

> > >   Your turn: http://www.theadamsfamily.net/~erek/snort/drinking_game.txt
> >
> > You spent the drinks? Fine, when and where?
> 
>   Only for you, Dirk. And only if you come to my city. :) Deal? :)

That's a deal, but where is your city? Probably too far away for a drinking
game...

Best regards

Dirk





More information about the Snort-users mailing list