Javier Fernández-Sanguino Peña wrote:
> On Fri, May 01, 2009 at 12:12:09PM -0400, Jeff Green wrote:
>
>> The output database plugin is
>> configured. If snort is started on the command
>> line, not as a daemon and with /etc/snort/snort.conf as the config file,
>> then
>> the console messages indicate that the database plugin is invoked. However
>> if
>> starting from /etc/init.d/snort startup file, then there is no indication of
>> the database plugin being seen, regardless of its daemon status. The is no
>> indication that the connect has failed because of credentials or privileges.
>>
>
> When starting from /etc/init.d all snort messages are logged in syslog. Could
> you please review your /var/log/messages* files to see if you can find the
> Snort messages?
>
> Please send me any messages you see there that might be relevant to this
> issue.
>
The time that snort was "seemingly" connecting to the db had the below
in its console output:
[...snip...]
DNS config:
DNS Client rdata txt Overflow Alert: ACTIVE
Obsolete DNS RR Types Alert: INACTIVE
Experimental DNS RR Types Alert: INACTIVE
Ports: 53
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
3407 Snort rules read
3407 detection rules
0 decoder rules
0 preprocessor rules
3407 Option Chains linked into 285 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
Verifying Preprocessor Configurations!
Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Warning: flowbits key 'community_uri.size.1050' is set but not ever checked.
Warning: flowbits key 'smb.tree.create.llsrpc' is set but not ever checked.
37 out of 512 flowbits in use.
Initializing Network Interface eth0
Decoding Ethernet on interface eth0
database: compiled support for ( mysql )
database: configured to use mysql
database: user = snort
database: password is set
database: database name = snort
database: host = 192.168.2.7
database: sensor name = 68.114.59.137
database: sensor id = 3
database: schema version = 107
database: using the "log" facility
[...snip...]
While the times that showed no db connect had the following:
[...snip...]
DNS config:
DNS Client rdata txt Overflow Alert: ACTIVE
Obsolete DNS RR Types Alert: INACTIVE
Experimental DNS RR Types Alert: INACTIVE
Ports: 53
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
3407 Snort rules read
3407 detection rules
0 decoder rules
0 preprocessor rules
3407 Option Chains linked into 285 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
Verifying Preprocessor Configurations!
Warning: flowbits key 'community_uri.size.1050' is set but not ever checked.
Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
Warning: flowbits key 'smb.tree.create.llsrpc' is set but not ever checked.
37 out of 512 flowbits in use.
Initializing Network Interface eth0
Decoding Ethernet on interface eth0
Preprocessor/Decoder Rule Count: 0
+--[Pattern Matcher:Aho-Corasick Summary]----------------------
[...snip...]
Same output in log files (which I had looked in).
regards,
-jeff
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
