[Snort-users] v2.8.4 incorrect logging to MySQL

JJ Cummings cummingsj at ...11827...
Fri Apr 10 16:14:02 EDT 2009


Use barnyard.... Or another utility like snort-unified-perl to read  
snort unifiedx output and send to mysql.... That would be the correct  
way to do it.

Sent from the iRoad

On Apr 10, 2009, at 9:52 AM, "Danny Paul" <JDPAUL at ...14549...>  
wrote:

> It appears that version 2.8.4 does not properly log to mysql. I have  
> the following line in my config file (***** = redacted):
>
> output database: log, mysql, user=***** password=*****  
> dbname=snortdb host=localhost sensor_name=***** encoding=hex  
> detail=full
>
> The tables are empty when snort is started.
>
> When I start snort, it does start making entries into the event,  
> tcphdr, iphdr, and data tables. However, it never makes an entry for  
> itself in the sensor table and never inserts anything into the  
> signature table. That means that there is no way to correlate events  
> to the sensor that generated them or the signature triggering the  
> alert.  I logged all MySQL queries to confirm this behavior. Snort  
> will query the sensor and signature tables but never inserts. What  
> could be the cause of this?
>
>
> Particulars:
> OpenSuSE 11.1
> Snort 2.8.4
> Mysql 5.0.67
> Phil Wood's libpcap ver:0.9.8.20081128
>
>
> Snort compiled from source using configuration directives:
> --with-mysql
> --enable-dynamicplugin
> --with-libpcap-libraries=/usr/local/lib
> --with-libpcap-includes=/path/to/libpcap-0.9.8.20081128
>
>
>
> Thanks,
> Danny Paul
>
>
> ** Virus scanned by City of Columbia MO Email Firewall **
>
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> This SF.net email is sponsored by:
> High Quality Requirements in a Collaborative Environment.
> Download a free trial of Rational Requirements Composer Now!
> http://p.sf.net/sfu/www-ibm-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list