[Snort-users] Problems with snort and B.A.S.E

Kaustubh Gadkari kaustubh.gadkari at ...11827...
Tue Feb 10 20:09:30 EST 2009


Hi,

I have a process that continuously dumps pcap files into a directory.
Periodically, I run snort on these files:

snort -c /etc/snort/snort.conf --pcap-dir=/path/to/pcaps

I have configured snort to write to a MySQL database. I have also
confirmed that snort is writing to the database. Just to raise alerts,
I have a rule 'alert tcp any any <> any any (sid:5;)'. I am using
B.A.S.E (http://base.secureideas.net/) v1.4.1 to see the snort alerts.

Here's the problem:
When I run snort as described above, snort writes events to the snort
database. I checked using 'select count(*) from event;', but the
alerts do not show up in B.A.S.E. However, if I run snort on the
interface:

snort -c /etc/snort/snort.conf -i eth1

things work i.e. I see snort writing to the database, and I see alerts
on B.A.S.E.

Am I missing a trick here?

Kaustubh

-- 
Kaustubh Gadkari
kaustubh [dot] gadkari [at] gmail [dot] com




More information about the Snort-users mailing list