Snort doesn't log to MySQL
 

I am running a Debian Lenny server and I just installed snort-mysql using apt.

I have configured snort to alert on ALL packages and it works, my /var/log/snort/alert file is full of messages. I have also followed the docs to set up the database for snort inside mysql, created the snort user and granted privileges. I ran the sql file that came with the snort package to setup all the tables inside the database and it seems to have worked.

Then I went into snort.conf and added the line "output database ..." with all the options (database name, user name, password) and I then restarted snort.

Problem is, I still get a lot of messages into the local log file so snort is working, but the 'event' table is empty (I figured it shouldn't?).

Is there a way to check if snort is even able to setup a connection to mysql? I tried to start snort manually in the console but there is no mention of mysql in the output.

Am I missing something?

You should see mysql comments when you run snort manually. If you aren't, this may mean that something is amiss within your config file. Here's what I have:

output database: alert, mysql, user=snort password=xxxxx dbname=snort host=xxxxx.ath.cx sensor_name=spanky

You have to restart the snort daemon for the change to be applied.

You can also run snort in test mode (option -T).

I hope this helps.

Oh, I got it working. Seems like I should not use the -A option.

Is it possible to have two lines? Like

output database: alert, mysql, user=snort password=xxxxx dbname=snort host=localhost
output database: log, mysql, user=snort password=xxxx dbname=snort host=localhost

And what does sensor_name do?

You can have as many lines as you like.

The sensor_name variable is just a logical name for your sensor. It is sensible to name them based on placement, such as 'inside' (internal network sensor), 'outside' (external network sensor), and 'dmz' (dmz sensor).