Snort mailing list archives
Re: Snort + Acid w/ MySQL question(s)
From: "alexus" <ml () db nexgen com>
Date: Sat, 12 May 2001 00:59:30 -0400
after i enable that debug.. where should this debug go to? some file? or where should i look for debug messages? here is from mysql client mysql> show tables; +------------------+ | Tables_in_alexus | +------------------+ | acid_ag | | acid_ag_alert | | data | | detail | | encoding | | event | | icmphdr | | iphdr | | opt | | sensor | | tcphdr | | udphdr | +------------------+ 12 rows in set (0.00 sec) mysql> desc iphdr; +----------+----------------------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +----------+----------------------+------+-----+---------+-------+ | sid | int(10) unsigned | | PRI | 0 | | | cid | int(10) unsigned | | PRI | 0 | | | ip_src | int(10) unsigned | | MUL | 0 | | | ip_src0 | tinyint(3) unsigned | YES | | NULL | | | ip_src1 | tinyint(3) unsigned | YES | | NULL | | | ip_src2 | tinyint(3) unsigned | YES | | NULL | | | ip_src3 | tinyint(3) unsigned | YES | | NULL | | | ip_dst | int(10) unsigned | | MUL | 0 | | | ip_dst0 | tinyint(3) unsigned | YES | | NULL | | | ip_dst1 | tinyint(3) unsigned | YES | | NULL | | | ip_dst2 | tinyint(3) unsigned | YES | | NULL | | | ip_dst3 | tinyint(3) unsigned | YES | | NULL | | | ip_ver | tinyint(3) unsigned | YES | | NULL | | | ip_hlen | tinyint(3) unsigned | YES | | NULL | | | ip_tos | tinyint(3) unsigned | YES | | NULL | | | ip_len | smallint(5) unsigned | YES | | NULL | | | ip_id | smallint(5) unsigned | YES | | NULL | | | ip_flags | tinyint(3) unsigned | YES | | NULL | | | ip_off | smallint(5) unsigned | YES | | NULL | | | ip_ttl | tinyint(3) unsigned | YES | | NULL | | | ip_proto | tinyint(3) unsigned | | | 0 | | | ip_csum | smallint(5) unsigned | YES | | NULL | | +----------+----------------------+------+-----+---------+-------+ 22 rows in set (0.01 sec) mysql> ----- Original Message ----- From: <roman () danyliw com> To: "alexus" <ml () db nexgen com> Cc: <snort-users () lists sourceforge net> Sent: Friday, May 11, 2001 8:16 PM Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)
Sorry. I forgot that you sent a URL a couple of messages ago. I loaded 0.9.6b9 with a schema v0 database, and did not get the error. 1. Enable ACID debugging by changing $debug_mode=1 (in acid_conf.php) 2. From the mysql client: mysql> show tables; mysql> desc iphdr; RomanWhat version of ACID are you running. If you are not running 0.9.6b9, try to upgrading. Romanalthough couple thing still remaining/bothering me from acid_main.php whenever I click on Source IP address or Dest IP address I get
following
error: Database ERROR:Unknown column 'ip_src0' in 'field list' what am I missing now? ----- Original Message ----- From: "alexus" <ml () db nexgen com> To: <roman () danyliw com> Cc: <snort-users () lists sourceforge net> Sent: Friday, May 11, 2001 10:15 PM Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)that's it! now it's working just fine! thanks a lot ! ----- Original Message ----- From: <roman () danyliw com> To: "alexus" <ml () db nexgen com> Cc: <snort-users () lists sourceforge net> Sent: Friday, May 11, 2001 6:04 PM Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)This is because you are trying to redefine the built in facility alert. Scroll further down in the sample config file until you find the text: # database: log to a variety of databases # --------------------------------------- # See the README.database file for more information about
configuring
# and using this plugin. # # output database: log, mysql, user=root password=test
dbname=snort17
host=localhost# output database: log, postgresql, user=snort dbname=snort # output database: log, unixodbc, user=snort dbname=snort Uncomment and configure one of these database config lines. Romanif i change ruletype from redalert to alert or to log i get this ...... Initializing rule chains... ERROR line /usr/local/bin/snort.conf (215): Duplicate keyword:
alert
su-2.04# ----- Original Message ----- From: <roman () danyliw com> To: "alexus" <ml () db nexgen com> Cc: <snort-users () lists sourceforge net> Sent: Friday, May 11, 2001 11:50 AM Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)Do you have rules which trigger on the facility "redalert".
The
default rules typically are "alert" or "log". Romani used this file to create rest of tables, now all tables
seems to
beinplace although still there are some strange things are happening: when i go to http://box.nexgen.com/acid/ i dont see anything anything, i mean no data, that snort
should've
putintodatabase... any ideas? that's part of my snort.conf about mysql db. ruletype redalert { type alert output alert_syslog: LOG_AUTH LOG_ALERT output database: log, mysql, user=xxx dbname=xxx
host=localhost
password=xxx } ----- Original Message ----- From: <roman () danyliw com> To: "alexus" <ml () db nexgen com> Cc: <snort-users () lists sourceforge net> Sent: Thursday, May 10, 2001 5:23 PM Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)OK, lets avoid the automated table creation for now. Tryrunningthe SQL manually (create_acid_tbls_mysql.sql) Romanmysql> select * from user where user='alexus';
+-----------+--------+------------------+-------------+-------------+-------
------+-------------+-------------+-----------+-------------+---------------
+--------------+-----------+------------+-----------------+------------+----
--------+ | Host | User | Password | Select_priv |Insert_priv|Update_priv | Delete_priv | Create_priv | Drop_priv |Reload_priv |Shutdown_priv | Process_priv | File_priv | Grant_priv |References_priv|Index_priv | Alter_priv |
+-----------+--------+------------------+-------------+-------------+-------
------+-------------+-------------+-----------+-------------+---------------
+--------------+-----------+------------+-----------------+------------+----
--------+ | localhost | alexus | 34484ed463a66850 | Y |
Y
| N| Y | N | N | N |
N
|N| N | N | N | N
| N
|
+-----------+--------+------------------+-------------+-------------+-------
------+-------------+-------------+-----------+-------------+---------------
+--------------+-----------+------------+-----------------+------------+----
--------+ 1 row in set (0.00 sec) mysql> i copy and paste mysql output to show you that i do have
all
rightprivileges i also upgrade acid to 0.9.6b9 (which is latest beta fortoday)it still doesn't work ----- Original Message ----- From: <roman () danyliw com> To: "alexus" <ml () db nexgen com> Cc: <snort-users () lists sourceforge net> Sent: Thursday, May 10, 2001 11:18 AM Subject: Re: [Snort-users] Snort + Acid w/ MySQL
question(s)
One observation: - ACID 0.9.5 does not use ADODB. This DB abstraction
was
introduced in 0.9.6b2 (Jan 2001). Hence, this
addition into
acid_conf.php will be ignored. Two recommendations: - are you sure that you have CREATE permissions on the
DB
user set in acid_conf.php? If all else fails, try
using the
"create_acid_tbls_mysql.sql" to manually create the
ACID
tables. - upgrade to a more recent version of ACID => 0.9.6b9.Thereare significant feature improvements as well as bug
fixes.
Ifyouprefer an older version, upgrade to at least 0.9.6b1
for it
hasa number of important bug fixes cheers, RomanI'm using the following: FreeBSD 4.3 - RELEASE (STABLE) ACID-0.9.5 - RELEASE (STABLE) ADODB v1.0.1 - RELEASE (STABLE) PHP - 4.0.5 - RELEASE (STABLE) APACHE - 1.3.19 - RELEASE (STABLE) SNORT - 1.7 - RELEASE (STABLE) to compile snort i used following line: ../configure --with-mysql=/usr/local/mysql;make;makeinstalli did change acid_conf.php i put path to adodb in adodb i put local path in adodb.inc.php when i go to http://localhost/acid it redirects me
to
acid_main.phpandwhenit gets there i get this: The underlying database alexus@localhost apears to
be
invalid.The database version is valid, but the ACID DB
structure
(table:acid_ag) isnot present. Use the Setup page to configure and
optimize
the DBwhen i click on "Setup page" in status window i get "DONE" for "Search Indexes"
and i
have"CreateACIDAG" for "ACID tables" i'm assuming i need to click
on
"CreateACIDAG",whenI do that nothing happenes, it won't disappear or it
won't
changestatusto"DONE".. what am i missing? _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or
unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
--------------------------------------------- This message was sent using Voicenet WebMail. http://www.voicenet.com/webmail/--------------------------------------------- This message was sent using Voicenet WebMail. http://www.voicenet.com/webmail/_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users--------------------------------------------- This message was sent using Voicenet WebMail. http://www.voicenet.com/webmail/_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users--------------------------------------------- This message was sent using Voicenet WebMail. http://www.voicenet.com/webmail/--------------------------------------------- This message was sent using Voicenet WebMail. http://www.voicenet.com/webmail/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users--------------------------------------------- This message was sent using Voicenet WebMail. http://www.voicenet.com/webmail/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort + Acid w/ MySQL question(s), (continued)
- Re: Snort + Acid w/ MySQL question(s) roman (May 10)
- Re: Snort + Acid w/ MySQL question(s) alexus (May 11)
- Re: Snort + Acid w/ MySQL question(s) roman (May 11)
- Re: Snort + Acid w/ MySQL question(s) alexus (May 11)
- Re: Snort + Acid w/ MySQL question(s) alexus (May 11)
- Re: Snort + Acid w/ MySQL question(s) alexus (May 11)
- Re: Snort + Acid w/ MySQL question(s) roman (May 11)
- Re: Snort + Acid w/ MySQL question(s) roman (May 11)
- Re: Snort + Acid w/ MySQL question(s) roman (May 11)
- Re: Snort + Acid w/ MySQL question(s) alexus (May 11)
- Re: Snort + Acid w/ MySQL question(s) alexus (May 11)
- Re: Snort + Acid w/ MySQL question(s) roman (May 11)
- Re: Snort + Acid w/ MySQL question(s) alexus (May 11)
- Re: Snort + Acid w/ MySQL question(s) alexus (May 11)
- Re: Snort + Acid w/ MySQL question(s) roman (May 13)
- Re: Snort + Acid w/ MySQL question(s) alexus (May 13)