FC8 snort-2.8.1 mysql not logging
Brief overview of environment:
=================================
Linux: 2.6.23.1-42.fc8 #1 SMP Tue Oct 30 13:55:12 EDT 2007 i686 i686 i386 GNU/Linux
ls -l /usr/sbin/snort*:
lrwxrwxrwx 1 root root 23 2008-08-09 13:10 /usr/sbin/snort -> /etc/alternatives/snort
-rwxr-xr-x 1 root root 6539144 2008-06-04 13:34 /usr/sbin/snort-bloat
-rwxr-xr-x 1 root root 6523816 2008-06-04 13:34 /usr/sbin/snort-mysql
-rwxr-xr-x 1 root root 6522644 2008-06-04 13:34 /usr/sbin/snort-plain
mysql: Ver 14.12 Distrib 5.0.45, for redhat-linux-gnu (i386) using readline 5.0
/etc/snort/snort.conf:
output database: log, mysql, user=snort password=abcdefg dbname=snort host=localhost
output database: alert, mysql, user=snort password=abcdefg dbname=snort
/etc/snort/init.d/snortd:
daemon /usr/sbin/snort -A fast -b -l /var/log/snort -d -D \
-i $INTERFACE -c /etc/snort/snort.conf
/var/log/messages:
....
Aug 12 05:03:22 minime snort[26876]: Portscan Detection Config:
Aug 12 05:03:22 minime snort[26876]: Detect Protocols: TCP UDP ICMP IP
Aug 12 05:03:22 minime snort[26876]: Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Aug 12 05:03:22 minime snort[26876]: Sensitivity Level: Low
Aug 12 05:03:22 minime snort[26876]: Memcap (in bytes): 10000000
Aug 12 05:03:22 minime snort[26876]: Number of Nodes: 36900
Aug 12 05:03:22 minime snort[26876]:
Aug 12 05:03:22 minime snort[26876]: command line overrides rules file alert plugin!
Aug 12 05:03:22 minime snort[26876]: command line overrides rules file alert plugin!
Aug 12 05:03:22 minime snort[26876]: Tagged Packet Limit: 256
=================================
From commandline the snort user is able to successfully access snort mysql db and all tables described in docs/tuts are in the db.
Somewhere. not sure where now, instructions were given to add '-K ascii' to snort commandline startup to allow mysql logging. Employing the '-K' option, do not silence the 'override' complaint nor log to mysql.
Removing '-A' from commandline stops 'overrides' complaint but snort segfaults:
snort[26959]: segfault at 00000000 eip 0079d6c3 esp bfb42770 error 4
Note: the commandline without '-A' flag revealed mysql pw in snort.conf on 'output database' line was incorrect because of attempt to connect to database. When the 'A' flag was on the commandline the mysql pw error did appear in logs.
This suggests to me, the '-A' flag is the source of the 'overrides' messages and stops mysql logging.
On FC8, which commandline change snort needs to allow mysql logging
|