[Snort-users] v2.8.4 incorrect logging to MySQL

Danny Paul JDPAUL at ...14549...
Sat Apr 11 11:37:41 EDT 2009


I don't really *need* to use barnyard - snort thus far has not had a problem keeping up with the traffic while writing logs directly to MySQL. We're talking about a pretty low speed link, really. As far as what's correct, writing its log to MySQL is supported, is it not?

Has anybody else had this problem? If not, I suppose I'll dive into the code and see what's up. If so, let me know, this is really strange!




>>> On 4/10/2009 at 3:14 PM, in message
<DEF65145-75D5-4358-83AC-ACB7529AFAFC at ...11827...>, <cummingsj at ...11827...>
wrote:
> Use barnyard.... Or another utility like snort-unified-perl to read  
> snort unifiedx output and send to mysql.... That would be the correct  
> way to do it.
> 
> Sent from the iRoad
> 
> On Apr 10, 2009, at 9:52 AM, "Danny Paul" <JDPAUL at ...14549...>  
> wrote:
> 
>> It appears that version 2.8.4 does not properly log to mysql. I have  
>> the following line in my config file (***** = redacted):
>>
>> output database: log, mysql, user=***** password=*****  
>> dbname=snortdb host=localhost sensor_name=***** encoding=hex  
>> detail=full
>>
>> The tables are empty when snort is started.
>>
>> When I start snort, it does start making entries into the event,  
>> tcphdr, iphdr, and data tables. However, it never makes an entry for  
>> itself in the sensor table and never inserts anything into the  
>> signature table. That means that there is no way to correlate events  
>> to the sensor that generated them or the signature triggering the  
>> alert.  I logged all MySQL queries to confirm this behavior. Snort  
>> will query the sensor and signature tables but never inserts. What  
>> could be the cause of this?
>>
>>
>> Particulars:
>> OpenSuSE 11.1
>> Snort 2.8.4
>> Mysql 5.0.67
>> Phil Wood's libpcap ver:0.9.8.20081128
>>
>>
>> Snort compiled from source using configuration directives:
>> --with-mysql
>> --enable-dynamicplugin
>> --with-libpcap-libraries=/usr/local/lib
>> --with-libpcap-includes=/path/to/libpcap-0.9.8.20081128
>>
>>
>>
>> Thanks,
>> Danny Paul
>>
>>
>> ** Virus scanned by City of Columbia MO Email Firewall **
>>
>> --- 
>> --- 
>> --- 
>> ---------------------------------------------------------------------
>> This SF.net email is sponsored by:
>> High Quality Requirements in a Collaborative Environment.
>> Download a free trial of Rational Requirements Composer Now!
>> http://p.sf.net/sfu/www-ibm-com 
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net 
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users 
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users 
> 
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> High Quality Requirements in a Collaborative Environment.
> Download a free trial of Rational Requirements Composer Now!
> http://p.sf.net/sfu/www-ibm-com 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net 
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users 
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


** Virus scanned by City of Columbia MO Email Firewall **




More information about the Snort-users mailing list