?
Solved

Need to make snort log to mysql rather than default logs

Posted on 2005-05-06
3
Medium Priority
?
392 Views
Last Modified: 2011-09-20
Ok, i've managed to set up snort on my linux box (fedora core 3), I got it to run nicely and have everything but one thing set up, the logging. Right now it logs to the /var/log/snort/alert and those other snort files. What i want it do is to log to the mysql database. I've followed the instructions over the internet and the snort manual but i still have no luck. If you need a to see the configuration file then ask away and i'll have it posted (with some minor editing with regards to passwords ;) ). No need to rush for this by the way.

--trigger-happy
0
Comment
Question by:trigger-happy
  • 2
3 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 1000 total points
ID: 13946874
> but i still have no luck.
does this mean that you get no logging at all now?
PLease post error messages from /var/log/messages
0
 
LVL 14

Author Comment

by:trigger-happy
ID: 13948195
Actually the logs work perfectly, but i want it to log into the mysql database rather than the normal log files.
Here's a section from the messages log when i start snort:

May  7 05:39:54 trigger kernel: device eth0 entered promiscuous mode
May  7 05:39:54 trigger snort: Initializing daemon mode
May  7 05:39:54 trigger snortd: snort startup succeeded
May  7 05:39:54 trigger snort: PID path stat checked out ok, PID path set to /var/run/
May  7 05:39:54 trigger snort: Writing PID "6554" to file "/var/run//snort_eth0.pid"
May  7 05:39:54 trigger snort: Parsing Rules file /etc/snort/snort.conf
May  7 05:39:54 trigger snort: ,-----------[Flow Config]----------------------
May  7 05:39:54 trigger snort: | Stats Interval:  0
May  7 05:39:54 trigger snort: | Hash Method:     2
May  7 05:39:54 trigger snort: | Memcap:          10485760
May  7 05:39:54 trigger snort: | Rows  :          4099
May  7 05:39:54 trigger snort: | Overhead Bytes:  16400(%0.16)
May  7 05:39:54 trigger snort: `----------------------------------------------
May  7 05:39:54 trigger snort: HttpInspect Config:
May  7 05:39:54 trigger snort:     GLOBAL CONFIG
May  7 05:39:54 trigger snort:       Max Pipeline Requests:    0
May  7 05:39:54 trigger snort:       Inspection Type:          STATELESS
May  7 05:39:54 trigger snort:       Detect Proxy Usage:       NO
May  7 05:39:54 trigger snort:       IIS Unicode Map Filename: /etc/snort/unicode.map
May  7 05:39:54 trigger snort:       IIS Unicode Map Codepage: 1252
May  7 05:39:54 trigger snort:     DEFAULT SERVER CONFIG:
May  7 05:39:54 trigger snort:       Ports: 80 8080 8180
May  7 05:39:54 trigger snort:       Flow Depth: 300
May  7 05:39:54 trigger snort:       Max Chunk Length: 500000
May  7 05:39:54 trigger snort:       Inspect Pipeline Requests: YES
May  7 05:39:54 trigger snort:       URI Discovery Strict Mode: NO
May  7 05:39:55 trigger snort:       Allow Proxy Usage: NO
May  7 05:39:55 trigger snort:       Disable Alerting: NO
May  7 05:39:55 trigger snort:       Oversize Dir Length: 500
May  7 05:39:55 trigger snort:       Only inspect URI: NO
May  7 05:39:55 trigger snort:       Ascii: YES alert: NO
May  7 05:39:55 trigger snort:       Double Decoding: YES alert: YES
May  7 05:39:55 trigger snort:       %U Encoding: YES alert: YES
May  7 05:39:55 trigger snort:       Bare Byte: YES alert: YES
May  7 05:39:55 trigger snort:       Base36: OFF
May  7 05:39:55 trigger snort:       UTF 8: OFF
May  7 05:39:55 trigger snort:       IIS Unicode: YES alert: YES
May  7 05:39:55 trigger snort:       Multiple Slash: YES alert: NO
May  7 05:39:55 trigger snort:       IIS Backslash: YES alert: NO
May  7 05:39:55 trigger snort:       Directory Traversal: YES alert: NO
May  7 05:39:55 trigger snort:       Web Root Traversal: YES alert: YES
May  7 05:39:55 trigger snort:       Apache WhiteSpace: YES alert: NO
May  7 05:39:55 trigger snort:       IIS Delimiter: YES alert: NO
May  7 05:39:55 trigger snort:       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
May  7 05:39:55 trigger snort:       Non-RFC Compliant Characters: NONE
May  7 05:39:55 trigger snort: rpc_decode arguments:
May  7 05:39:56 trigger snort:     Ports to decode RPC on: 111 32771
May  7 05:39:56 trigger snort:     alert_fragments: INACTIVE
May  7 05:39:56 trigger snort:     alert_large_fragments: ACTIVE
May  7 05:39:56 trigger snort:     alert_incomplete: ACTIVE
May  7 05:39:56 trigger snort:     alert_multiple_requests: ACTIVE
May  7 05:39:56 trigger snort: telnet_decode arguments:
May  7 05:39:56 trigger snort:     Ports to decode telnet on: 21 23 25 119
May  7 05:39:56 trigger snort: Portscan Detection Config:
May  7 05:39:56 trigger snort:     Detect Protocols:  TCP UDP ICMP IP
May  7 05:39:56 trigger snort:     Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
May  7 05:39:56 trigger snort:     Sensitivity Level: Low
May  7 05:39:56 trigger snort:     Memcap (in bytes): 10000000
May  7 05:39:56 trigger snort:     Number of Nodes:   36900
May  7 05:39:56 trigger snort:
May  7 05:39:56 trigger snort: command line overrides rules file alert plugin!
May  7 05:39:57 trigger snort: Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
May  7 05:39:57 trigger snort:
May  7 05:39:57 trigger snort: +-----------------------[thresholding-config]----------------------------------
May  7 05:39:57 trigger snort: | memory-cap : 1048576 bytes
May  7 05:39:57 trigger snort: +-----------------------[thresholding-global]----------------------------------
May  7 05:39:57 trigger snort: | none
May  7 05:39:57 trigger snort: +-----------------------[thresholding-local]-----------------------------------
May  7 05:39:57 trigger snort: | gen-id=1      sig-id=2496       type=Both      tracking=dst count=20  seconds=60
May  7 05:39:57 trigger snort: | gen-id=1      sig-id=2275       type=Threshold tracking=dst count=5   seconds=60
May  7 05:39:57 trigger snort: | gen-id=1      sig-id=2923       type=Threshold tracking=dst count=10  seconds=60
May  7 05:39:57 trigger snort: | gen-id=1      sig-id=2523       type=Both      tracking=dst count=10  seconds=10
May  7 05:39:57 trigger snort: | gen-id=1      sig-id=2495       type=Both      tracking=dst count=20  seconds=60
May  7 05:39:57 trigger snort: | gen-id=1      sig-id=2494       type=Both      tracking=dst count=20  seconds=60
May  7 05:39:58 trigger snort: | gen-id=1      sig-id=2924       type=Threshold tracking=dst count=10  seconds=60
May  7 05:39:58 trigger snort: +-----------------------[suppression]------------------------------------------
May  7 05:39:58 trigger snort: | none
May  7 05:39:58 trigger snort: +------------------------------------------------------------------------------
May  7 05:39:58 trigger snort: Rule application order: ->activation->dynamic->alert->pass->log
May  7 05:39:58 trigger snort: Log directory = /var/log/snort
May  7 05:39:58 trigger snort: Snort initialization completed successfully (pid=6554)


--trigger-happy
0
 
LVL 14

Author Comment

by:trigger-happy
ID: 13948541
ok, never mind....i managed to solve it thanks to my talent in trial-and-error...I just needed to edit the startup script, do a recompile, and it worked nicely. Thanks for the reply though

--trigger-happy
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Fine Tune your automatic Updates for Ubuntu / Debian
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Screencast - Getting to Know the Pipeline
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question