OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Blake Frantz (blakemc.net)
Date: Sun Jun 17 2001 - 13:52:37 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hello,

    I'm having a problem getting snort to log to mySQL. Everything is being
    logged to /var/log/snort. Below are the details, any help is appreciated.

    This is what snort says when I fire it up with :
    'snort -c snort.conf -i eth1'

    Initializing rule chains...
    database: compiled support for ( mysql postgresql )
    database: configured to use mysql
    database: user = snort
    database: database name = snort
    database: host = localhost
    database: sensor name = 192.168.69.99
    database: sensor id = 2
    database: using the "log" facility
    633 Snort rules read...
    633 Option Chains linked into 631 Chain Headers
    0 Dynamic rules

    This is the access mySQL says user snort has on dB 'snort' :

    Access-rights
    for USER 'snort', from HOST 'localhost', to DB 'snort'
            +-----------------+---+ +-----------------+---+
            | Select_priv | Y | | Shutdown_priv | N |
            | Insert_priv | Y | | Process_priv | N |
            | Update_priv | N | | File_priv | N |
            | Delete_priv | N | | Grant_priv | N |
            | Create_priv | Y | | References_priv | N |
            | Drop_priv | N | | Index_priv | N |
            | Reload_priv | N | | Alter_priv | N |
            +-----------------+---+ +-----------------+---+
    BEWARE: Everybody can access your DB as user `snort' from host
    `localhost'
          : WITHOUT supplying a password.
          : Be very careful about it!!
     
    The following rules are used:
    db :'localhost','snort','snort','Y','Y','N','N','Y','N','N','N','N','N'
    host:'Not processed: host-field is not empty in db-table.'
    user:'localhost','snort','','N','N','N','N','N','N','N','N','N','N','N','N','N','N'
     

    This is how I have loggin setup in my snort.conf:
    ruletype log2mySQL
    {
      type log
      output database: log, mysql, user=snort dbname=snort host=localhost
    }

    This is what snort says fter I kill the process :
    Snort received 152661 packets and dropped 0(0.000%) packets
     
    Breakdown by protocol: Action Stats:
        TCP: 124175 (81.340%) ALERTS: 3
        UDP: 26187 (17.154%) LOGGED: 3
       ICMP: 1984 (1.300%) PASSED: 0
        ARP: 0 (0.000%)
       IPv6: 0 (0.000%)
        IPX: 0 (0.000%)
      OTHER: 315 (0.206%)
    DISCARD: 0 (0.000%)

    So it *did* log data.

    This is the result when I query my 'snort' dB from mysql :

    mysql> use snort; select * from data;
    Database changed
    Empty set (0.00 sec)
     
    mysql>

    this is logged to /var/log/snort:

    drwx------ 2 root root 4096 Jun 17 13:17 x.y.x.0
    drwx------ 2 root root 4096 Jun 17 13:15 x.y.z.1
    -rw-r--r-- 1 root root 1060 Jun 17 13:17 alert
    -rw-r--r-- 1 root root 0 Jun 17 13:12 log
    -rw-r--r-- 1 root root 0 Jun 17 13:12 portscan.log

    Thanks in advance.

    Blake

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    http://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users