Snort mailing list archives
RE: Access denied for user: '@192.168.0.1' -SNORT-
From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Tue, 11 Feb 2003 16:36:22 -0500
I too thought that the '-v' parameter might override the output plugins in snort.conf. But when I quickly checked the ParseCmdLine() function in the 1.9.0 source, I didn't see pv.alert_cmd_override being set to '1' for the '-v' parameter -- the only thing set is 'pv.verbose_flag = 1'. So I figured that 'v'erbose mode didn't necessarily disable the output plugins. Also, usually when the output plugins are overridden, Snort displays a message to the console. Is this a BUG?! - Christopher -----Original Message----- From: Erek Adams [mailto:erek () snort org] Sent: Tuesday, February 11, 2003 4:13 PM To: mike Hughes Cc: snort-users () lists sourceforge net; CLuther () Xybernaut com; bkarnold () cbu edu Subject: Re: [Snort-users] RE: Access denied for user: '@192.168.0.1' -SNORT- On Tue, 11 Feb 2003, mike Hughes wrote:
Whats uP.. Alright this is where i am right now....I ran this command on my linux machine: snort-mysql+flexresp -v -c /etc/snort/snort.conf I get NO error messages: here is the output:
[...snip...] Wrong. You do get an error message.
ERROR spp_arpspoof /etc/snort/snort.conf(40) => Cannot initialize arpspoof_detect_host without arpspoof
But that's not your problem. See below. [...snip...]
Snort analyzed 3 out of 3 packets, dropping 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 0 (0.000%) ALERTS: 0 UDP: 0 (0.000%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0 ARP: 3 (100.000%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%)
[...snip...]
02/11-12:17:55.633645 ARP who-has 152.178.7.78 tell 152.178.0.254 02/11-12:17:58.850208 ARP who-has 152.178.7.78 tell 152.178.0.254 02/11-12:18:01.941099 ARP who-has 152.178.36.185 tell 152.178.0.254 ------>And then it keeps logging traffic to my screen
Right. Snort did exactly what it was supposed to. It saw three arp packets and displayed them to the screen. No problem.
Now how can i test it is going in my database on my windows machine what are some command i can run on mysql on my windows machine(192.168.0.69)
[...snip...] If you'll check the docs you'll find a statement that says "Command line options override snort.conf settings." Since you told Snort to display/alert to the stdout device with "-v" it's skipping your ouput db line in snort.conf. Enable the ping rules and then login to a route-server (route-server.exodus.net) and ping your box. "Bing" Alert generated and sent to the DB--If you've setup the DB correctly. Hope that helps! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson
Current thread:
- Re: ACID - Which Database?, (continued)
- Re: ACID - Which Database? Yaakov Yehudi (Feb 12)
- RE: Access denied for user: '@192.168.0.1' -SNORT- mike Hughes (Feb 10)
- RE: Access denied for user: '@192.168.0.1' -SNORT- mike Hughes (Feb 10)
- Re: Access denied for user: '@192.168.0.1' -SNORT- mike Hughes (Feb 10)
- RE: Access denied for user: '@192.168.0.1' -SNORT- L. Christopher Luther (Feb 11)
- RE: Access denied for user: '@192.168.0.1' -SNORT- L. Christopher Luther (Feb 11)
- Re: Access denied for user: '@192.168.0.1' -SNORT- mike Hughes (Feb 11)
- RE: Access denied for user: '@192.168.0.1' -SNORT- mike Hughes (Feb 11)
- RE: Access denied for user: '@192.168.0.1' -SNORT- Kenneth G. Arnold (Feb 11)
- Re: RE: Access denied for user: '@192.168.0.1' -SNORT- Erek Adams (Feb 11)
- RE: Access denied for user: '@192.168.0.1' -SNORT- L. Christopher Luther (Feb 11)
- RE: Access denied for user: '@192.168.0.1' -SNORT- Erek Adams (Feb 12)
- RE: Access denied for user: '@192.168.0.1' -SNORT- L. Christopher Luther (Feb 11)
- Re: Access denied for user: '@192.168.0.1' -SNORT- mike Hughes (Feb 12)