Need to make snort log to mysql rather than default logs

Ok, i've managed to set up snort on my linux box (fedora core 3), I got it to run nicely and have everything but one thing set up, the logging. Right now it logs to the /var/log/snort/alert and those other snort files. What i want it do is to log to the mysql database. I've followed the instructions over the internet and the snort manual but i still have no luck. If you need a to see the configuration file then ask away and i'll have it posted (with some minor editing with regards to passwords ;) ). No need to rush for this by the way.

--trigger-happy
LVL 14
trigger-happyAsked:
Who is Participating?
 
ahoffmannCommented:
> but i still have no luck.
does this mean that you get no logging at all now?
PLease post error messages from /var/log/messages
0
 
trigger-happyAuthor Commented:
Actually the logs work perfectly, but i want it to log into the mysql database rather than the normal log files.
Here's a section from the messages log when i start snort:

May  7 05:39:54 trigger kernel: device eth0 entered promiscuous mode
May  7 05:39:54 trigger snort: Initializing daemon mode
May  7 05:39:54 trigger snortd: snort startup succeeded
May  7 05:39:54 trigger snort: PID path stat checked out ok, PID path set to /var/run/
May  7 05:39:54 trigger snort: Writing PID "6554" to file "/var/run//snort_eth0.pid"
May  7 05:39:54 trigger snort: Parsing Rules file /etc/snort/snort.conf
May  7 05:39:54 trigger snort: ,-----------[Flow Config]----------------------
May  7 05:39:54 trigger snort: | Stats Interval:  0
May  7 05:39:54 trigger snort: | Hash Method:     2
May  7 05:39:54 trigger snort: | Memcap:          10485760
May  7 05:39:54 trigger snort: | Rows  :          4099
May  7 05:39:54 trigger snort: | Overhead Bytes:  16400(%0.16)
May  7 05:39:54 trigger snort: `----------------------------------------------
May  7 05:39:54 trigger snort: HttpInspect Config:
May  7 05:39:54 trigger snort:     GLOBAL CONFIG
May  7 05:39:54 trigger snort:       Max Pipeline Requests:    0
May  7 05:39:54 trigger snort:       Inspection Type:          STATELESS
May  7 05:39:54 trigger snort:       Detect Proxy Usage:       NO
May  7 05:39:54 trigger snort:       IIS Unicode Map Filename: /etc/snort/unicode.map
May  7 05:39:54 trigger snort:       IIS Unicode Map Codepage: 1252
May  7 05:39:54 trigger snort:     DEFAULT SERVER CONFIG:
May  7 05:39:54 trigger snort:       Ports: 80 8080 8180
May  7 05:39:54 trigger snort:       Flow Depth: 300
May  7 05:39:54 trigger snort:       Max Chunk Length: 500000
May  7 05:39:54 trigger snort:       Inspect Pipeline Requests: YES
May  7 05:39:54 trigger snort:       URI Discovery Strict Mode: NO
May  7 05:39:55 trigger snort:       Allow Proxy Usage: NO
May  7 05:39:55 trigger snort:       Disable Alerting: NO
May  7 05:39:55 trigger snort:       Oversize Dir Length: 500
May  7 05:39:55 trigger snort:       Only inspect URI: NO
May  7 05:39:55 trigger snort:       Ascii: YES alert: NO
May  7 05:39:55 trigger snort:       Double Decoding: YES alert: YES
May  7 05:39:55 trigger snort:       %U Encoding: YES alert: YES
May  7 05:39:55 trigger snort:       Bare Byte: YES alert: YES
May  7 05:39:55 trigger snort:       Base36: OFF
May  7 05:39:55 trigger snort:       UTF 8: OFF
May  7 05:39:55 trigger snort:       IIS Unicode: YES alert: YES
May  7 05:39:55 trigger snort:       Multiple Slash: YES alert: NO
May  7 05:39:55 trigger snort:       IIS Backslash: YES alert: NO
May  7 05:39:55 trigger snort:       Directory Traversal: YES alert: NO
May  7 05:39:55 trigger snort:       Web Root Traversal: YES alert: YES
May  7 05:39:55 trigger snort:       Apache WhiteSpace: YES alert: NO
May  7 05:39:55 trigger snort:       IIS Delimiter: YES alert: NO
May  7 05:39:55 trigger snort:       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
May  7 05:39:55 trigger snort:       Non-RFC Compliant Characters: NONE
May  7 05:39:55 trigger snort: rpc_decode arguments:
May  7 05:39:56 trigger snort:     Ports to decode RPC on: 111 32771
May  7 05:39:56 trigger snort:     alert_fragments: INACTIVE
May  7 05:39:56 trigger snort:     alert_large_fragments: ACTIVE
May  7 05:39:56 trigger snort:     alert_incomplete: ACTIVE
May  7 05:39:56 trigger snort:     alert_multiple_requests: ACTIVE
May  7 05:39:56 trigger snort: telnet_decode arguments:
May  7 05:39:56 trigger snort:     Ports to decode telnet on: 21 23 25 119
May  7 05:39:56 trigger snort: Portscan Detection Config:
May  7 05:39:56 trigger snort:     Detect Protocols:  TCP UDP ICMP IP
May  7 05:39:56 trigger snort:     Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
May  7 05:39:56 trigger snort:     Sensitivity Level: Low
May  7 05:39:56 trigger snort:     Memcap (in bytes): 10000000
May  7 05:39:56 trigger snort:     Number of Nodes:   36900
May  7 05:39:56 trigger snort:
May  7 05:39:56 trigger snort: command line overrides rules file alert plugin!
May  7 05:39:57 trigger snort: Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
May  7 05:39:57 trigger snort:
May  7 05:39:57 trigger snort: +-----------------------[thresholding-config]----------------------------------
May  7 05:39:57 trigger snort: | memory-cap : 1048576 bytes
May  7 05:39:57 trigger snort: +-----------------------[thresholding-global]----------------------------------
May  7 05:39:57 trigger snort: | none
May  7 05:39:57 trigger snort: +-----------------------[thresholding-local]-----------------------------------
May  7 05:39:57 trigger snort: | gen-id=1      sig-id=2496       type=Both      tracking=dst count=20  seconds=60
May  7 05:39:57 trigger snort: | gen-id=1      sig-id=2275       type=Threshold tracking=dst count=5   seconds=60
May  7 05:39:57 trigger snort: | gen-id=1      sig-id=2923       type=Threshold tracking=dst count=10  seconds=60
May  7 05:39:57 trigger snort: | gen-id=1      sig-id=2523       type=Both      tracking=dst count=10  seconds=10
May  7 05:39:57 trigger snort: | gen-id=1      sig-id=2495       type=Both      tracking=dst count=20  seconds=60
May  7 05:39:57 trigger snort: | gen-id=1      sig-id=2494       type=Both      tracking=dst count=20  seconds=60
May  7 05:39:58 trigger snort: | gen-id=1      sig-id=2924       type=Threshold tracking=dst count=10  seconds=60
May  7 05:39:58 trigger snort: +-----------------------[suppression]------------------------------------------
May  7 05:39:58 trigger snort: | none
May  7 05:39:58 trigger snort: +------------------------------------------------------------------------------
May  7 05:39:58 trigger snort: Rule application order: ->activation->dynamic->alert->pass->log
May  7 05:39:58 trigger snort: Log directory = /var/log/snort
May  7 05:39:58 trigger snort: Snort initialization completed successfully (pid=6554)


--trigger-happy
0
 
trigger-happyAuthor Commented:
ok, never mind....i managed to solve it thanks to my talent in trial-and-error...I just needed to edit the startup script, do a recompile, and it worked nicely. Thanks for the reply though

--trigger-happy
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.