Snort mailing list archives

loggin to mySQL

From: Blake Frantz <blake () mc net>
Date: Sun, 17 Jun 2001 13:52:37 -0500 (CDT)


Hello,

I'm having a problem getting snort to log to mySQL.  Everything is being
logged to /var/log/snort.  Below are the details, any help is appreciated.

This is what snort says when I fire it up with : 
'snort -c snort.conf -i eth1'

Initializing rule chains...
database: compiled support for ( mysql postgresql )
database: configured to use mysql
database:          user = snort
database: database name = snort
database:          host = localhost
database:   sensor name = 192.168.69.99
database:     sensor id = 2
database: using the "log" facility
633 Snort rules read...
633 Option Chains linked into 631 Chain Headers
0 Dynamic rules

This is the access mySQL says user snort has on dB 'snort' :

Access-rights
for USER 'snort', from HOST 'localhost', to DB 'snort'
        +-----------------+---+ +-----------------+---+
        | Select_priv     | Y | | Shutdown_priv   | N |
        | Insert_priv     | Y | | Process_priv    | N |
        | Update_priv     | N | | File_priv       | N |
        | Delete_priv     | N | | Grant_priv      | N |
        | Create_priv     | Y | | References_priv | N |
        | Drop_priv       | N | | Index_priv      | N |
        | Reload_priv     | N | | Alter_priv      | N |
        +-----------------+---+ +-----------------+---+
BEWARE:  Everybody can access your DB as user `snort' from host
`localhost'
      :  WITHOUT supplying a password.
      :  Be very careful about it!!
 
The following rules are used:
db  :'localhost','snort','snort','Y','Y','N','N','Y','N','N','N','N','N'
host:'Not processed: host-field is not empty in db-table.'
user:'localhost','snort','','N','N','N','N','N','N','N','N','N','N','N','N','N','N'
 

This is how I have loggin setup in my snort.conf:
ruletype log2mySQL
{
  type log
  output database: log, mysql, user=snort dbname=snort host=localhost
}


This is what snort says fter I kill the process :
Snort received 152661 packets and dropped 0(0.000%) packets
 
Breakdown by protocol:                Action Stats:
    TCP: 124175     (81.340%)         ALERTS: 3         
    UDP: 26187      (17.154%)         LOGGED: 3         
   ICMP: 1984       (1.300%)          PASSED: 0         
    ARP: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 315        (0.206%)
DISCARD: 0          (0.000%)

So it *did* log data.


This is the result when I query my 'snort' dB from mysql :

mysql> use snort; select * from data; 
Database changed
Empty set (0.00 sec)
 
mysql> 

this is logged to /var/log/snort: 

drwx------    2 root     root         4096 Jun 17 13:17 x.y.x.0
drwx------    2 root     root         4096 Jun 17 13:15 x.y.z.1
-rw-r--r--    1 root     root         1060 Jun 17 13:17 alert
-rw-r--r--    1 root     root            0 Jun 17 13:12 log
-rw-r--r--    1 root     root            0 Jun 17 13:12 portscan.log


Thanks in advance.

Blake




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

spade reports Josh Gentry (Jun 16)
- Re: spade reports James Hoagland (Jun 17)
  - loggin to mySQL Blake Frantz (Jun 17)
    - RE: loggin to mySQL Jason Lewis (Jun 17)
    - Re: loggin to mySQL Grant Parkinson (Jun 17)
    - Re: loggin to mySQL Guillaume (Jun 17)