<sigh> What I forgot to write was that I'm currently running
snort_inline _AND_ snort, exactly like this -
snort_inline -c /etc/snort/snort.conf -Q
snort -c /etc/snort/snort.conf
If I drop the -Q from the snort command line (or the snort_inline
command line), database writes work fine. What I have no confidence
in and no way to test is if anything is actually being done with the
packets in the queue.
Database connectivity is working fine - as long as I don't try to use
the QUEUE facility in either snort or snort_inline.
Mike-
On Mon, 23 Jan 2006 17:14:14 -0500, you wrote:
First, verify connectivity to the db host using the mysql client on
the sensor? should be something along the lines of:
# mysql -p
Enter password: xxx
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 28 to server version: x.x.x
Did you configure the db for logging use in snort.conf? The line
should look something like:
output database: log, mysql, user=<user> password=<passsword>
dbname=<db name> host=<host>
If so, did you create the tables in the db for snort to use to log the
alerts using ./snort-2.4.3/schemas/create_mysql?
If so, did you give the proper grants to the tables for
insert/update/delete, where appropriate, to the user defined in the
snort.conf file?
Axton Grams
On 1/23/06, Michael W Cocke <cocke@catherders.com> wrote:
I was absolutely certain that it was something that I did wrong, so I
went back to the beginning, reinstalled all the requires, compiled
snort from scratch, turned on every log file I could find, and built a
rule to log every occurence of GET on port 80.
I've tried both snort and snort-inline compiled with --enable-inline
and --with-mysql. Running with this command line snort -Q -c
/etc/snort/snort.conf -v (replace snort with snort_inline as you
wish). I get lots of screen activity from the -v, but snort doesn't
write anything to a mysql database. Neither does snort_inline
2.4.3-RC3, compiled with the same options.
If anyone has a suggestion or would like me to try something, email
me.
Mike-
--
If you're not confused, you're not trying hard enough.
--
Please note - Due to the intense volume of spam, we have installed
site-wide spam filters at catherders.com. If email from you bounces,
try non-HTML, non-encoded, non-attachments,
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
--
If you're not confused, you're not trying hard enough.
--
Please note - Due to the intense volume of spam, we have installed
site-wide spam filters at catherders.com. If email from you bounces,
try non-HTML, non-encoded, non-attachments,
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
