RE: mysql.sock

[PPowenski () oag com]

I am having serious problems with this 2.0.2 release. 
been working with snort since 1.8x.

The problem I encountered was 
built snort with --with-mysql no directory ref and this made no difference.
installed mysql 4.0.15 and it setup the mysql.sock in
/var/lib/mysql/mysql.sock

had problems with snort putting events and logs in /var/log but only a
fraction into the database.
made some progress but then decided to rebuild on the suggestion of one of
the papers to build with
./configure --with-mysql=/usr/local/mysql

after the rebuild acid was having problems with mysql and stated it could
not find the socket ref in /tmp/mysql.sock changed /etc/my.cnf to align this
up then acid started complaining that adodb was hopelessly confused.

Looked at this for quite some time then discovered /etc/php.ini had a ref
for it but 'supposedly' was to use the my.cnf if no variable was set in this
file.
Put in /tmp/mysql.sock into /etc/php.ini then acid began to function.

put in a few alerts then stopped completely.
ran tcpdump and plenty of traffic coming down the wire.
have another ids in place with snort and the detects occurring with snort is
not right.

looking at it now.

will figure it all out but found all of this very annoying and it must be
very very hard for those who are not familiar with linux or systems..

just m2c.....
Paul


-----Original Message-----
From: Erek Adams [mailto:erek () snort org] 
Sent: 03 October 2003 07:22
To: Chris Feldmann
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] mysql.sock


On Fri, 3 Oct 2003, Chris Feldmann wrote:

> I'm going to get flamed and pointed sneeringly to some FAQ, I fear 
> (probably to 8.1, but I can hold my own), because I'm sure I've seen 
> this here or somewhere, but here goes:

Nope.  We never sneer.  We just simply giggle and point at the drinking
game. ;-)

[...snip...]

> ERROR: database: mysql_error: Can't connect to local MySQL server 
> through socket '/var/lib/mysql/mysql.sock' (2)
>
> The consensus on the web is that this is a permissions problem, but 
> I'm sure I have my owners and groups for the mysql subdirs correctly 
> assigned to root and mysql respectively. I'll post ls -l output for 
> whatever, though; just ask. The most obvious source of the problem is 
> that mysql.sock does not exist in /var/lib/mysql or anywhere else. 
> Someone suggested ./configure --with-unix-socket-path=/path in the 
> mysql build, but that was a non-starter (to quote Ari Fleischer). 
> Snort was running fine until I decided I wanted to get all fancy with 
> a database and ACID, but those binary logs are so hard to parse.

I'd say you're well on your way to solving the problem.  Keep up the good
work.

Cheers!


Oh, wait...  You actually wanted an answer?  Ohhhh...  Sorry. ;-)  (Hey,
it's late, I gotta have fun where I can!)

Most likely is that MySQL happens to be using /tmp/mysql.sock instead of
/var/lib/mysql/mysql.sock.

You say that using the "--with-unix-socket-path=" option is a 'non starter'.
I'm not to clear on that.  Care to elaborate a bit more on that?

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf _______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users