snort+mysql+acid

hello NG

have snort (1.9.1-10)+ mysql (3.23.55-14)+ acid installed on a suse 8.2. my
snort dumps only in the logs and nothing in the db. it was configured with
mysql support, it connects to the db, but doesn't writte anything. i think
there is something with the permissions. on mysql i only use the user root
which has grant all on the snort db, and this also set in the conf file.
what permissions must i have to make snort dump the logs in the db?

Josephine

Make sure to adjust snort .conf line on your sensor (if running multiple
snorts) to ensure that [alert] is pointed to sql db.

There is a method for effectively teeing the alert text to both syslog
function and your protected mysql db - but it takes quite a bit to edit
the default rulesets.

portscan data is held locally on the sensor and the only way I have
found to have it "available" to the ACID platform/console is to do a cron
job the does a temp NFS mount, then append (cat portscan.log >>
portscan.log) then unmount. That way your portscan traffic is available
for drill down/analysis.

Hope this helps. Bottom line, you have to tell snort to send [alert]
to mysql db vice the syslog subsystem.

Steve

In article <a349bfbd.0306271047.3c2642e8@posting.google.com >, "Josephine"
<Josephine_k@arcor.de> wrote:

> hello NG
>
> have snort (1.9.1-10)+ mysql (3.23.55-14)+ acid installed on a suse
> 8.2. my snort dumps only in the logs and nothing in the db. it was
> configured with mysql support, it connects to the db, but doesn't writte
> anything. i think there is something with the permissions. on mysql i
> only use the user root which has grant all on the snort db, and this
> also set in the conf file. what permissions must i have to make snort
> dump the logs in the db?
>
> Josephine