Snort mailing list archives
Re: Snort + Acid w/ MySQL question(s)
From: roman () danyliw com
Date: Sun, 13 May 2001 22:44:43 US/Eastern
I checked. It would appear that debug mode has not been turned on. Did you set the "$debug_mode" variable to "1" in acid_conf.php
$debug_mode=1;
Roman
oh and i turn on debug=1 http://box.nexgen.com/acid/ ----- Original Message ----- From: <roman () danyliw com> To: "alexus" <ml () db nexgen com> Cc: <snort-users () lists sourceforge net> Sent: Friday, May 11, 2001 9:22 PM Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)The debug information will be generated inline to the reponse page. Everything is browser based. Romanafter i enable that debug.. where should this debug go to? some file? or where should i look for debug messages? here is from mysql client mysql> show tables; +------------------+ | Tables_in_alexus | +------------------+ | acid_ag | | acid_ag_alert | | data | | detail | | encoding | | event | | icmphdr | | iphdr | | opt | | sensor | | tcphdr | | udphdr | +------------------+ 12 rows in set (0.00 sec) mysql> desc iphdr; +----------+----------------------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +----------+----------------------+------+-----+---------+-------+ | sid | int(10) unsigned | | PRI | 0 | | | cid | int(10) unsigned | | PRI | 0 | | | ip_src | int(10) unsigned | | MUL | 0 | | | ip_src0 | tinyint(3) unsigned | YES | | NULL | | | ip_src1 | tinyint(3) unsigned | YES | | NULL | | | ip_src2 | tinyint(3) unsigned | YES | | NULL | | | ip_src3 | tinyint(3) unsigned | YES | | NULL | | | ip_dst | int(10) unsigned | | MUL | 0 | | | ip_dst0 | tinyint(3) unsigned | YES | | NULL | | | ip_dst1 | tinyint(3) unsigned | YES | | NULL | | | ip_dst2 | tinyint(3) unsigned | YES | | NULL | | | ip_dst3 | tinyint(3) unsigned | YES | | NULL | | | ip_ver | tinyint(3) unsigned | YES | | NULL | | | ip_hlen | tinyint(3) unsigned | YES | | NULL | | | ip_tos | tinyint(3) unsigned | YES | | NULL | | | ip_len | smallint(5) unsigned | YES | | NULL | | | ip_id | smallint(5) unsigned | YES | | NULL | | | ip_flags | tinyint(3) unsigned | YES | | NULL | | | ip_off | smallint(5) unsigned | YES | | NULL | | | ip_ttl | tinyint(3) unsigned | YES | | NULL | | | ip_proto | tinyint(3) unsigned | | | 0 | | | ip_csum | smallint(5) unsigned | YES | | NULL | | +----------+----------------------+------+-----+---------+-------+ 22 rows in set (0.01 sec) mysql> ----- Original Message ----- From: <roman () danyliw com> To: "alexus" <ml () db nexgen com> Cc: <snort-users () lists sourceforge net> Sent: Friday, May 11, 2001 8:16 PM Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)Sorry. I forgot that you sent a URL a couple of messages ago. I loaded 0.9.6b9 with a schema v0 database, and did not get the error. 1. Enable ACID debugging by changing $debug_mode=1 (in acid_conf.php) 2. From the mysql client: mysql> show tables; mysql> desc iphdr; RomanWhat version of ACID are you running. If you are not running 0.9.6b9, try to upgrading. Romanalthough couple thing still remaining/bothering me from acid_main.php whenever I click on Source IP address or Dest IP address I getfollowingerror: Database ERROR:Unknown column 'ip_src0' in 'field list' what am I missing now? ----- Original Message ----- From: "alexus" <ml () db nexgen com> To: <roman () danyliw com> Cc: <snort-users () lists sourceforge net> Sent: Friday, May 11, 2001 10:15 PM Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)that's it! now it's working just fine! thanks a lot ! ----- Original Message ----- From: <roman () danyliw com> To: "alexus" <ml () db nexgen com> Cc: <snort-users () lists sourceforge net> Sent: Friday, May 11, 2001 6:04 PM Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)This is because you are trying to redefine the built infacilityalert. Scroll further down in the sample config file until you find the text: # database: log to a variety of databases # --------------------------------------- # See the README.database file for more information aboutconfiguring# and using this plugin. # # output database: log, mysql, user=root password=testdbname=snort17host=localhost# output database: log, postgresql, user=snort dbname=snort # output database: log, unixodbc, user=snort dbname=snort Uncomment and configure one of these database config lines. Romanif i change ruletype from redalert to alert or to log i getthis...... Initializing rule chains... ERROR line /usr/local/bin/snort.conf (215): Duplicatekeyword:alertsu-2.04# ----- Original Message ----- From: <roman () danyliw com> To: "alexus" <ml () db nexgen com> Cc: <snort-users () lists sourceforge net> Sent: Friday, May 11, 2001 11:50 AM Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)Do you have rules which trigger on the facility"redalert".Thedefault rules typically are "alert" or "log". Romani used this file to create rest of tables, now alltablesseems tobeinplace although still there are some strange things arehappening:when i go to http://box.nexgen.com/acid/ i dont see anything anything, i mean no data, that snortshould'veputintodatabase... any ideas? that's part of my snort.conf about mysql db. ruletype redalert { type alert output alert_syslog: LOG_AUTH LOG_ALERT output database: log, mysql, user=xxx dbname=xxxhost=localhostpassword=xxx } ----- Original Message ----- From: <roman () danyliw com> To: "alexus" <ml () db nexgen com> Cc: <snort-users () lists sourceforge net> Sent: Thursday, May 10, 2001 5:23 PM Subject: Re: [Snort-users] Snort + Acid w/ MySQLquestion(s)OK, lets avoid the automated table creation for now.Tryrunningthe SQL manually (create_acid_tbls_mysql.sql) Romanmysql> select * from user where user='alexus';+-----------+--------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+ | Host | User | Password |Select_priv |Insert_priv|Update_priv | Delete_priv | Create_priv | Drop_priv|Reload_priv |Shutdown_priv | Process_priv | File_priv |Grant_priv |References_priv|Index_priv | Alter_priv |+-----------+--------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+ | localhost | alexus | 34484ed463a66850 | Y|Y| N| Y | N | N | N|N|N| N | N | N | N| N|+-----------+--------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+ 1 row in set (0.00 sec) mysql> i copy and paste mysql output to show you that i dohaveallrightprivileges i also upgrade acid to 0.9.6b9 (which is latest betafortoday)it still doesn't work ----- Original Message ----- From: <roman () danyliw com> To: "alexus" <ml () db nexgen com> Cc: <snort-users () lists sourceforge net> Sent: Thursday, May 10, 2001 11:18 AM Subject: Re: [Snort-users] Snort + Acid w/ MySQLquestion(s)One observation: - ACID 0.9.5 does not use ADODB. This DBabstractionwasintroduced in 0.9.6b2 (Jan 2001). Hence, thisaddition intoacid_conf.php will be ignored. Two recommendations: - are you sure that you have CREATE permissions ontheDBuser set in acid_conf.php? If all else fails, tryusing the"create_acid_tbls_mysql.sql" to manually createtheACIDtables. - upgrade to a more recent version of ACID =>0.9.6b9.Thereare significant feature improvements as well asbugfixes.Ifyouprefer an older version, upgrade to at least0.9.6b1for ithasa number of important bug fixes cheers, RomanI'm using the following: FreeBSD 4.3 - RELEASE (STABLE) ACID-0.9.5 - RELEASE (STABLE) ADODB v1.0.1 - RELEASE (STABLE) PHP - 4.0.5 - RELEASE (STABLE) APACHE - 1.3.19 - RELEASE (STABLE) SNORT - 1.7 - RELEASE (STABLE) to compile snort i used following line:.../configure --with-mysql=/usr/local/mysql;make;makeinstalli did change acid_conf.php i put path to adodb in adodb i put local path in adodb.inc.php when i go to http://localhost/acid it redirectsmetoacid_main.phpandwhenit gets there i get this: The underlying database alexus@localhost apearstobeinvalid.The database version is valid, but the ACID DBstructure(table:acid_ag) isnot present. Use the Setup page to configure andoptimizethe DBwhen i click on "Setup page" in status window i get "DONE" for "SearchIndexes"and ihave"CreateACIDAG" for "ACID tables" i'm assuming i need toclickon"CreateACIDAG",whenI do that nothing happenes, it won't disappearor itwon'tchangestatusto"DONE".. what am i missing? _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options orunsubscribe:http://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users list archive:http://www.geocrawler.com/redir-sf.php3?list=snort-users--------------------------------------------- This message was sent using Voicenet WebMail. http://www.voicenet.com/webmail/--------------------------------------------- This message was sent using Voicenet WebMail. http://www.voicenet.com/webmail/_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users--------------------------------------------- This message was sent using Voicenet WebMail. http://www.voicenet.com/webmail/_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users--------------------------------------------- This message was sent using Voicenet WebMail. http://www.voicenet.com/webmail/--------------------------------------------- This message was sent using Voicenet WebMail. http://www.voicenet.com/webmail/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users--------------------------------------------- This message was sent using Voicenet WebMail. http://www.voicenet.com/webmail/--------------------------------------------- This message was sent using Voicenet WebMail. http://www.voicenet.com/webmail/_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--------------------------------------------- This message was sent using Voicenet WebMail. http://www.voicenet.com/webmail/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort + Acid w/ MySQL question(s), (continued)
- Re: Snort + Acid w/ MySQL question(s) alexus (May 11)
- Re: Snort + Acid w/ MySQL question(s) alexus (May 11)
- Re: Snort + Acid w/ MySQL question(s) roman (May 11)
- Re: Snort + Acid w/ MySQL question(s) roman (May 11)
- Re: Snort + Acid w/ MySQL question(s) roman (May 11)
- Re: Snort + Acid w/ MySQL question(s) alexus (May 11)
- Re: Snort + Acid w/ MySQL question(s) alexus (May 11)
- Re: Snort + Acid w/ MySQL question(s) roman (May 11)
- Re: Snort + Acid w/ MySQL question(s) alexus (May 11)
- Re: Snort + Acid w/ MySQL question(s) alexus (May 11)
- Re: Snort + Acid w/ MySQL question(s) roman (May 13)
- Re: Snort + Acid w/ MySQL question(s) alexus (May 13)