| View previous topic :: View next topic |
| Author |
Message |
wallace1819
Apprentice
Joined: 17 Aug 2002
Posts: 195
Location: VT
|
 Posted: Sun Sep 08, 2002 7:24 pm Post subject: snort logging problem |
 |
|
hi,
i'm having a problem getting snort to log to mysql and I can't find where I'm going wrong. here is what I have done...
snort.conf:
var HOME_NET $eth0_ADDRESS
var EXTERNAL_NET $HOME_NET
output database: log, mysql, dbname=snort user=snort host=localhost password=xxxx
running snort with:
-U -o -i eth0 -d -D -c /etc/snort/snort.conf
I'm not a mysql guru by any strech of the immagination, but these are the steps I used to setup the data base:
1) mysql -u root -p
with in mysql>
2) create database snort;
3) connect snort
4) source /usr/lib/snort/bin/create_mysql
5) grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;
6) grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost;
7) set password for 'snort'@'localhost'=password('xxxx');
8) set password for 'snort'@'%'=password('xxxx');
9) flush privileges;
10) exit
but when I do a 'echo "SELECT count(*) FROM event" | mysql snort -u root -p' it shows...
count(*)
0
rather than...
count(*)
1
like the doc at http://acidlab.sourceforge.net/acid_config.html says it should.
and a after a portscan nothing shows up in acid. My guess is that I have setup the snort database in mysql incorectly. Can anyone see where I have gone wrong?
thx,
wallace |
|
| Back to top |
|
 |
-- Thor --
n00b
Joined: 31 Aug 2002
Posts: 49
|
| Posted: Sun Oct 06, 2002 5:38 pm Post subject: |
|
|
Is snort working in general (that is, without database logging)? Could be a misconfiguration issue in snort.conf, maybe. Good luck getting that pig to squeal...
Regards,
Jeff |
|
| Back to top |
|
|
r101
n00b
Joined: 14 Sep 2002
Posts: 27
|
| Posted: Sun Oct 06, 2002 6:55 pm Post subject: |
|
|
Hi,
Try changing your output to alert instead of log to get portscans recorded, i.e.:
output database: alert, mysql, dbname=snort user=snort host=localhost password=xxxx |
|
| Back to top |
|
|
exklusve
Apprentice
Joined: 23 Aug 2002
Posts: 270
Location: currently ~/
|
|
| Back to top |
|
|
Blahbbs
n00b
Joined: 15 Jul 2002
Posts: 42
|
| Posted: Thu Oct 16, 2003 8:04 pm Post subject: |
|
|
| Check your /var/log/snort/alert file. If there's anything in there, there should be a corresponding entry in your event table of your snort database. |
|
| Back to top |
|
|
jtp755
l33t
Joined: 01 Sep 2003
Posts: 691
Location: USA
|
| Posted: Sun Nov 09, 2003 1:06 pm Post subject: |
|
|
this thread is kinda old but.....i dont think that snort is workign correctly. I have had it running for almost a day now and i would think that it would pick up stuff already but i have nothign. Not even an alert file in /var/log/snort. ACID hasnt shown anythign either. It there a way i can "test" to see if SNORT is working?
_________________
www.EternalFireProof.com
Registered Linux User #334610 |
|
| Back to top |
|
|
jesterspet
Apprentice
Joined: 05 Feb 2003
Posts: 215
Location: Atlanta
|
| Posted: Sun Nov 30, 2003 2:04 am Post subject: |
|
|
| jtp755 wrote: | | It there a way i can "test" to see if SNORT is working? |
I originally posted this under the previously suggested forum topic, but missed your posting, so here ya go:
 If you need to ensure that snort is running and logging as you expect it to, you can ping your 'sensor' with this command | Code: | | ping -n -r -b 255.255.255.255 -p "7569643d3028726f6f74290a" -c3 |
Note that pattern "7569643d3028726f6f74290a" is equal to "uid=0(root)" which is the pattern required to generate alerts.
The -c3 command line parameter causes three packets to be sent.
_________________
(X) Yes! I am a brain damaged lemur on crack, and would like to buy your software package for $499.95 |
|
| Back to top |
|
|
|
Networking & Security
