Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort + Acid w/ MySQL question(s)

From: "alexus" <ml () db nexgen com>
Date: Sat, 12 May 2001 00:59:30 -0400
after i enable that debug.. where should this debug go to? some file? or
where should i look for debug messages?

here is from mysql client

mysql> show tables;
+------------------+
| Tables_in_alexus |
+------------------+
| acid_ag          |
| acid_ag_alert    |
| data             |
| detail           |
| encoding         |
| event            |
| icmphdr          |
| iphdr            |
| opt              |
| sensor           |
| tcphdr           |
| udphdr           |
+------------------+
12 rows in set (0.00 sec)

mysql> desc iphdr;
+----------+----------------------+------+-----+---------+-------+
| Field    | Type                 | Null | Key | Default | Extra |
+----------+----------------------+------+-----+---------+-------+
| sid      | int(10) unsigned     |      | PRI | 0       |       |
| cid      | int(10) unsigned     |      | PRI | 0       |       |
| ip_src   | int(10) unsigned     |      | MUL | 0       |       |
| ip_src0  | tinyint(3) unsigned  | YES  |     | NULL    |       |
| ip_src1  | tinyint(3) unsigned  | YES  |     | NULL    |       |
| ip_src2  | tinyint(3) unsigned  | YES  |     | NULL    |       |
| ip_src3  | tinyint(3) unsigned  | YES  |     | NULL    |       |
| ip_dst   | int(10) unsigned     |      | MUL | 0       |       |
| ip_dst0  | tinyint(3) unsigned  | YES  |     | NULL    |       |
| ip_dst1  | tinyint(3) unsigned  | YES  |     | NULL    |       |
| ip_dst2  | tinyint(3) unsigned  | YES  |     | NULL    |       |
| ip_dst3  | tinyint(3) unsigned  | YES  |     | NULL    |       |
| ip_ver   | tinyint(3) unsigned  | YES  |     | NULL    |       |
| ip_hlen  | tinyint(3) unsigned  | YES  |     | NULL    |       |
| ip_tos   | tinyint(3) unsigned  | YES  |     | NULL    |       |
| ip_len   | smallint(5) unsigned | YES  |     | NULL    |       |
| ip_id    | smallint(5) unsigned | YES  |     | NULL    |       |
| ip_flags | tinyint(3) unsigned  | YES  |     | NULL    |       |
| ip_off   | smallint(5) unsigned | YES  |     | NULL    |       |
| ip_ttl   | tinyint(3) unsigned  | YES  |     | NULL    |       |
| ip_proto | tinyint(3) unsigned  |      |     | 0       |       |
| ip_csum  | smallint(5) unsigned | YES  |     | NULL    |       |
+----------+----------------------+------+-----+---------+-------+
22 rows in set (0.01 sec)

mysql>

----- Original Message -----
From: <roman () danyliw com>
To: "alexus" <ml () db nexgen com>
Cc: <snort-users () lists sourceforge net>
Sent: Friday, May 11, 2001 8:16 PM
Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)



Sorry.  I forgot that you sent a URL a couple of messages ago.
I loaded 0.9.6b9 with a schema v0 database, and did not get
the error.

1.  Enable ACID debugging by changing $debug_mode=1
(in acid_conf.php)
2.  From the mysql client:

mysql> show tables;
mysql> desc iphdr;

Roman


What version of ACID are you running.  If you are not running
0.9.6b9, try to upgrading.

Roman


although couple thing still remaining/bothering me

from acid_main.php

whenever I click on Source IP address or Dest IP address I get

following

error:

Database ERROR:Unknown column 'ip_src0' in 'field list'

what am I missing now?

----- Original Message -----
From: "alexus" <ml () db nexgen com>
To: <roman () danyliw com>
Cc: <snort-users () lists sourceforge net>
Sent: Friday, May 11, 2001 10:15 PM
Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)



that's it! now it's working just fine! thanks a lot !

----- Original Message -----
From: <roman () danyliw com>
To: "alexus" <ml () db nexgen com>
Cc: <snort-users () lists sourceforge net>
Sent: Friday, May 11, 2001 6:04 PM
Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)



This is because you are trying to redefine the built in facility
alert.  Scroll further down in the sample config file  until
you find the text:

# database: log to a variety of databases
# ---------------------------------------
# See the README.database file for more information about

configuring

# and using this plugin.
#
# output database: log, mysql, user=root password=test

dbname=snort17

host=localhost

# output database: log, postgresql, user=snort dbname=snort
# output database: log, unixodbc, user=snort dbname=snort

Uncomment and configure one of these database config lines.

Roman


if i change ruletype from redalert to alert or to log i get this

......
Initializing rule chains...
ERROR line /usr/local/bin/snort.conf (215): Duplicate keyword:

alert

su-2.04#


----- Original Message -----
From: <roman () danyliw com>
To: "alexus" <ml () db nexgen com>
Cc: <snort-users () lists sourceforge net>
Sent: Friday, May 11, 2001 11:50 AM
Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)



Do you have rules which trigger on the facility "redalert".

The

default rules typically are "alert" or "log".

Roman


i used this file to create rest of tables, now all tables

seems to

be

inplace
although still there are some strange things are happening:

when i go to http://box.nexgen.com/acid/

i dont see anything anything, i mean no data, that snort

should've

put

into

database... any ideas?

that's part of my snort.conf about mysql db.

ruletype redalert
{
  type alert
  output alert_syslog: LOG_AUTH LOG_ALERT
  output database: log, mysql, user=xxx dbname=xxx

host=localhost

password=xxx
}


----- Original Message -----
From: <roman () danyliw com>
To: "alexus" <ml () db nexgen com>
Cc: <snort-users () lists sourceforge net>
Sent: Thursday, May 10, 2001 5:23 PM
Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)



OK, lets avoid the automated table creation for now.  Try

running

the SQL manually (create_acid_tbls_mysql.sql)

Roman


mysql> select * from user where user='alexus';










+-----------+--------+------------------+-------------+-------------+-------











------+-------------+-------------+-----------+-------------+-------------

--











+--------------+-----------+------------+-----------------+------------+----

--------+
| Host      | User   | Password         | Select_priv |

Insert_priv

|

Update_priv | Delete_priv | Create_priv | Drop_priv |

Reload_priv |

Shutdown_priv | Process_priv | File_priv | Grant_priv |

References_priv

|

Index_priv | Alter_priv |










+-----------+--------+------------------+-------------+-------------+-------











------+-------------+-------------+-----------+-------------+-------------

--











+--------------+-----------+------------+-----------------+------------+----

--------+
| localhost | alexus | 34484ed463a66850 | Y           |

Y

| N

| Y           | N           | N         | N           |

N

|

N

| N         | N          | N               | N

| N

|











+-----------+--------+------------------+-------------+-------------+-------











------+-------------+-------------+-----------+-------------+-------------

--











+--------------+-----------+------------+-----------------+------------+----

--------+
1 row in set (0.00 sec)

mysql>


i copy and paste mysql output to show you that i do have

all

right

privileges

i also upgrade acid to 0.9.6b9 (which is latest beta for

today)


it still doesn't work

----- Original Message -----
From: <roman () danyliw com>
To: "alexus" <ml () db nexgen com>
Cc: <snort-users () lists sourceforge net>
Sent: Thursday, May 10, 2001 11:18 AM
Subject: Re: [Snort-users] Snort + Acid w/ MySQL

question(s)




One observation:

- ACID 0.9.5 does not use ADODB.  This DB abstraction

was

introduced in 0.9.6b2 (Jan 2001).  Hence, this

addition into

acid_conf.php will be ignored.

Two recommendations:

- are you sure that you have CREATE permissions on the

DB

user set in acid_conf.php?  If all else fails, try

using the

"create_acid_tbls_mysql.sql" to manually create the

ACID

tables.

- upgrade to a more recent version of ACID => 0.9.6b9.

There

are significant feature improvements as well as bug

fixes.

If

you

prefer an older version, upgrade to at least 0.9.6b1

for it

has

a number of important bug fixes

cheers,
Roman


I'm using the following:

FreeBSD 4.3 - RELEASE (STABLE)
ACID-0.9.5 - RELEASE (STABLE)
ADODB v1.0.1 - RELEASE (STABLE)
PHP - 4.0.5 - RELEASE (STABLE)
APACHE - 1.3.19 - RELEASE (STABLE)
SNORT - 1.7 - RELEASE (STABLE)

to compile snort i used following line:
../configure --with-mysql=/usr/local/mysql;make;make

install


i did change acid_conf.php i put path to adodb

in adodb

i put local path in adodb.inc.php

when i go to http://localhost/acid it redirects me

to

acid_main.php

and

when

it gets there i get this:

The underlying database alexus@localhost apears to

be

invalid.


The database version is valid, but the ACID DB

structure

(table:

acid_ag) is

not present. Use the Setup page to configure and

optimize

the DB


when i click on "Setup page"

in status window i get "DONE" for "Search Indexes"

and i

have

"Create

ACID

AG" for "ACID tables" i'm assuming i need to click

on

"Create

ACID

AG",

when

I do that nothing happenes, it won't disappear or it

won't

change

status

to

"DONE".. what am i missing?




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or

unsubscribe:



http://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:


http://www.geocrawler.com/redir-sf.php3?list=snort-users






---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/










---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/






_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/






_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/












---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/






_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: