LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 09-26-2007, 06:38 AM   #1
ALInux
Member
 
Registered: Nov 2003
Location: Lebanon
Distribution: RHEL 5/CentOS 5/Debian Lenny/(K)Ubuntu Is Dead/Mandriva 10.1
Posts: 676
Blog Entries: 7

Rep: Reputation: 32
Problem Logging SNORT Data to Mysql Database


Hi All
I have setup SNORT IDS with base on RED HAT 4 EL. Snort is running and base is running however, snort is not logging any data to the MySQL database.
Upon further investigation I checked a FAQ and the following was stated :

No events are getting logged to the database

There are potentially numerous causes for this problem:
Confirm that the command line arguments are not overriding the logging configuration. (an error of "WARNING: command line overrides rules file alert plugin!" should be displayed). Using "-A" or "-s" will override any database logging configuration. If multiple output targets are desired (e.g. logging to a file and the database), use the configuration file to setup these plugins.

When I start snort using /etc/init.d/snort start I get the following two alerts in /var/log/messages

Sep 26 11:13:46 xmpp snort: command line overrides rules file logging plugin!
Sep 26 11:13:46 xmpp snort: command line overrides rules file alert plugin!

These are the direct result of uncommenting the following two lines in snort.conf

output log_tcpdump: tcpdump.log
output database: log, mysql, user=snort password=tasdwfgr dbname=snort host=localhost

Now the thing is that I do start snort using /etc/init.d/snortd start and that file reads it's config parameters from /etc/sysconfig/snort.conf

I have no clue what needs to be done now.

Any clues ?
 
Old 09-30-2007, 05:54 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590
Is Snort *really* running?
Did you set all the required variables in snort.conf?
Tested the config with "-T"?
Is it a version that was compiled with database support?
Do you have all dependencies installed?


Quote:
Originally Posted by ALInux View Post
Confirm that the command line arguments are not overriding the logging configuration. (an error of "WARNING: command line overrides rules file alert plugin!" should be displayed). Using "-A" or "-s" will override any database logging configuration.
So what's the commandline args of snort?


Quote:
Originally Posted by ALInux View Post
output log_tcpdump: tcpdump.log
Does it log to that packet capture file?


Quote:
Originally Posted by ALInux View Post
output database: log, mysql, user=snort password=tasdwfgr dbname=snort host=localhost
Can you confirm the "create_mysql" post-install script was run to create the database?
Did you "Create BASE AG" from the BASE GUI?
Can you confirm the dbname, database user exist and the user was granted access?
What happens if you connect to the database with the userass manually?


Any other log output?
And if you set verbose mode for the duration of testing?
 
Old 10-01-2007, 07:35 AM   #3
ALInux
Member
 
Registered: Nov 2003
Location: Lebanon
Distribution: RHEL 5/CentOS 5/Debian Lenny/(K)Ubuntu Is Dead/Mandriva 10.1
Posts: 676

Original Poster
Blog Entries: 7

Rep: Reputation: 32
Yes snort is running and logging successfully to it's log files. And yes the database is created and ready to receive input. I did not provide any arguments to SNORT I only started the daemon.

Did you set all the required variables in snort.conf? I uncommented the db section for MySQL and entered the username,db,pwd,hostname and tripple checked that data.
Does it have all dependencies installed ? I used an rpm package..so it should have all dependencies installed.

Does it log to that packet capture file? Yes
Can you confirm the "create_mysql" post-install script was run to create the database? YES
Did you "Create BASE AG" from the BASE GUI? YES
Can you confirm the dbname, database user exist and the user was granted access? YES
What happens if you connect to the database with the userass manually? Successful Logon
 
Old 10-02-2007, 04:14 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590
Quote:
Originally Posted by ALInux View Post
I did not provide any arguments to SNORT I only started the daemon.
Should check args anyway.


Quote:
Originally Posted by ALInux View Post
I used an rpm package..so it should have all dependencies installed.
I'm asking because there are (or at least where able to build) different versions of the Snort package: plain, bloated, with database support... Since you say it does log PCAP and everything is OK on the db side running the "wrong" version would be my only guess. You see, if I uncomment the db settings in snort.conf it will still run happily and not log any warning about db's or that. If that isn't it then I'd take this issue to the Snort users mailing list.
 
Old 03-18-2008, 01:16 PM   #5
Scal
LQ Newbie
 
Registered: Mar 2008
Posts: 2

Rep: Reputation: 0
Unhappy Same or Not ????

dear ,
well when i start this
/usr/local/snort/snort-2.8.0/etc # snort -c snort.conf -v -i eth0
in the shell to start snort with a a log in a database
it doesn't work !!!!!
and when i try this
/usr/local/snort/snort-2.8.0/etc # snort -c snort.conf -v -i lo
it works great
CAN you help me please !! i dono what i 'll do with this error
thanks .

Last edited by Scal; 03-19-2008 at 05:12 AM. Reason: NO answer
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem Inserting Data In A Mysql Database Using PHP Dapernia Programming 5 09-17-2007 11:05 AM
Processing data from a 'foreign' database with mysql, or tools to pre-process data. linker3000 Linux - Software 1 08-14-2007 09:36 PM
snort logging to database ilnli Linux - General 14 04-08-2005 01:55 PM
snort with mysql database zuessh Linux - Security 4 10-18-2004 01:36 AM
Snort and Logging to Mysql. FragInHell Linux - Security 3 09-18-2004 06:16 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 05:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration