[Snort-users] Fwd: Snort not righting to DB

Joel Esler joel.esler at ...1935...
Wed Jun 20 10:15:24 EDT 2007





joel esler | security consultant | Sourcefire | pgp  key is public



Begin forwarded message:

> From: "Louis Bohm" <lbohm at ...14154...>
> Date: June 20, 2007 9:01:16 AM EDT
> To: "Joel Esler" <joel.esler at ...1935...>
> Subject: RE: [Snort-users] Snort not righting to DB
> X-Mimeole: Produced By Microsoft Exchange V6.0.6603.0
>
> Here is my startup command line.
>
> /usr/sbin/snort -A fast -b -d -D -I -i eth1 -u snort -g snort -c / 
> etc/snort/snort.conf -l /var/log/snort/eth1
>
> If I did what you suggest (using a unified output module) what  
> would you recommend I use to do this?  What are the differences  
> between the output modules?  I ask because I have never used them  
> before.
>
>
>
> Louis
>
>
>
>
>
> ~~
> -------------------------------------
> Louis Bohm
> Network Administrator
> Adnexus Therapeutics
> 781.209.2324
> -------------------------------------
>
> From: Joel Esler [mailto:joel.esler at ...1935...]
> Sent: Wednesday, June 20, 2007 8:35 AM
> To: Louis Bohm
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Snort not righting to DB
>
>
>
> What is your Snort command line options when you run it?
>
>
>
> FWIW -- It is HIGHLY suggested that you not log directly from Snort  
> to the DB.  It IS suggested that you use the unified output module  
> and use something like Barnyard or similar to read the unified  
> files and put them in the DB.
>
>
>
> But for now, what does your command line look like?
>
>
>
>
>
>
>
>
> joel esler | security consultant | Sourcefire | pgp  key is public
>
>
>
>
>
>
>
>
> On Jun 20, 2007, at 8:08 AM, Louis Bohm wrote:
>
>
>
>
> I am running Snort 2.6.1.5-1 on a Centos 5 machine with MySql  
> 5.0.22-2.1.  When I built snort I built it with the mysql option.   
> In the snort.conf file I have the following:
>
>  output database: log, mysql, user=snortuser password=xxxxx  
> dbname=snortDB host=localhost detail=full
>
>
>
> And I am also getting an alert log and a regular log file for each  
> interface.
>
>
>
> At present I am not seeing a lot of events because I have not  
> plugged the box in to a lot of places but I am seeing some and it  
> is showing in the logs.  However, I am getting nothing in the  
> database.  I am not even seeing a connection between snort and the  
> DB.  Snort is reporting NO errors what so ever.  And if I run snort  
> –T –c /etc/snort/snort.conf I see that it logs in to the DB with no  
> problems.
>
>
>
> I know this should work I have done it before…  Any thoughts?
>
>
>
> Thanks,
>
> Louis
>
>
>
> ~~
> -------------------------------------
> Louis Bohm
> Network Administrator
> Adnexus Therapeutics
> 781.209.2324
> -------------------------------------
>
>
>
> ---------------------------------------------------------------------- 
> ---
>
> This SF.net email is sponsored by DB2 Express
>
> Download DB2 Express C - the FREE version of DB2 express and take
>
> control of your XML. No limits. Just data. Click to get it now.
>
> http://sourceforge.net/powerbar/db2/ 
> _______________________________________________
>
> Snort-users mailing list
>
> Snort-users at lists.sourceforge.net
>
> Go to this URL to change user options or unsubscribe:
>
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
> Snort-users list archive:
>
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20070620/48830cc6/attachment.html>


More information about the Snort-users mailing list