FC8 snort-2.8.1 mysql not logging

flashl · 08-12-2008, 11:49 AM

Brief overview of environment:
=================================
Linux: 2.6.23.1-42.fc8 #1 SMP Tue Oct 30 13:55:12 EDT 2007 i686 i686 i386 GNU/Linux

ls -l /usr/sbin/snort*:
lrwxrwxrwx 1 root root 23 2008-08-09 13:10 /usr/sbin/snort -> /etc/alternatives/snort
-rwxr-xr-x 1 root root 6539144 2008-06-04 13:34 /usr/sbin/snort-bloat
-rwxr-xr-x 1 root root 6523816 2008-06-04 13:34 /usr/sbin/snort-mysql
-rwxr-xr-x 1 root root 6522644 2008-06-04 13:34 /usr/sbin/snort-plain

mysql: Ver 14.12 Distrib 5.0.45, for redhat-linux-gnu (i386) using readline 5.0

/etc/snort/snort.conf:
output database: log, mysql, user=snort password=abcdefg dbname=snort host=localhost
output database: alert, mysql, user=snort password=abcdefg dbname=snort

/etc/snort/init.d/snortd:
daemon /usr/sbin/snort -A fast -b -l /var/log/snort -d -D \
-i $INTERFACE -c /etc/snort/snort.conf

/var/log/messages:
....
Aug 12 05:03:22 minime snort[26876]: Portscan Detection Config:
Aug 12 05:03:22 minime snort[26876]: Detect Protocols: TCP UDP ICMP IP
Aug 12 05:03:22 minime snort[26876]: Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Aug 12 05:03:22 minime snort[26876]: Sensitivity Level: Low
Aug 12 05:03:22 minime snort[26876]: Memcap (in bytes): 10000000
Aug 12 05:03:22 minime snort[26876]: Number of Nodes: 36900
Aug 12 05:03:22 minime snort[26876]:
Aug 12 05:03:22 minime snort[26876]: command line overrides rules file alert plugin!
Aug 12 05:03:22 minime snort[26876]: command line overrides rules file alert plugin!
Aug 12 05:03:22 minime snort[26876]: Tagged Packet Limit: 256
=================================

From commandline the snort user is able to successfully access snort mysql db and all tables described in docs/tuts are in the db.

Somewhere. not sure where now, instructions were given to add '-K ascii' to snort commandline startup to allow mysql logging. Employing the '-K' option, do not silence the 'override' complaint nor log to mysql.

Removing '-A' from commandline stops 'overrides' complaint but snort segfaults:
snort[26959]: segfault at 00000000 eip 0079d6c3 esp bfb42770 error 4

Note: the commandline without '-A' flag revealed mysql pw in snort.conf on 'output database' line was incorrect because of attempt to connect to database. When the 'A' flag was on the commandline the mysql pw error did appear in logs.

This suggests to me, the '-A' flag is the source of the 'overrides' messages and stops mysql logging.

On FC8, which commandline change snort needs to allow mysql logging

flashl · 08-13-2008, 11:53 PM

The instructions read:

Code:

Furthermore, there is a logging method and database type that must be defined. There are two logging types available, log and alert. Setting the type to log attaches the database logging functionality to the 
log facility within the program. If you set the type to log, the plugin will be called on the log output chain.

Setting the type to alert attaches the plugin to the alert output chain within the program.

There are five database types available in the current version of the plugin. These are mssql, mysql, postgresql, oracle, and odbc. Set the type to match the database you are using.

For reasons, I do not understand yet, removing the entry in snort.conf with logging type 'alert' from output database entry solved the seg fault.