[Snort-users] v2.8.4 incorrect logging to MySQL

Danny Paul JDPAUL at ...14549...
Fri Apr 10 12:52:13 EDT 2009


It appears that version 2.8.4 does not properly log to mysql. I have the following line in my config file (***** = redacted):

output database: log, mysql, user=***** password=***** dbname=snortdb host=localhost sensor_name=***** encoding=hex detail=full

The tables are empty when snort is started.

When I start snort, it does start making entries into the event, tcphdr, iphdr, and data tables. However, it never makes an entry for itself in the sensor table and never inserts anything into the signature table. That means that there is no way to correlate events to the sensor that generated them or the signature triggering the alert.  I logged all MySQL queries to confirm this behavior. Snort will query the sensor and signature tables but never inserts. What could be the cause of this?


Particulars:
OpenSuSE 11.1
Snort 2.8.4
Mysql 5.0.67
Phil Wood's libpcap ver:0.9.8.20081128


Snort compiled from source using configuration directives:
--with-mysql 
--enable-dynamicplugin 
--with-libpcap-libraries=/usr/local/lib 
--with-libpcap-includes=/path/to/libpcap-0.9.8.20081128



Thanks,
Danny Paul


** Virus scanned by City of Columbia MO Email Firewall **




More information about the Snort-users mailing list