Snort mailing list archives

ICMP PING speedera

From: "Bruno Gimenes Pereti" <pereti () ump edu br>
Date: Thu, 18 Oct 2001 13:35:40 -0300

What does "ICMP PING speedera" do? I have a lot of them and never woried
about because they don't look harmfull. But yesterday my bind started dieing
every hour and snort got just this alert and "WEB-MISC http directory
traversal" (I commented out the web-iis.alert from my snort.conf).
Here is the description of one packet (got from ACID):

IP:
  - Ver: 4
  - HdrLen: 5
  - TOS: 0
  - Lenght: 84
  - ID: 304
  - flags: 0
  - offset: 0
  - TTL: 49
  - checksum: 63772

ICMP
  - type: Echo Request
  - code: 0
  - checksum: 422
  - id: 21114
  - seq: 52203

The payload:
length = 56

000 : 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17   ................
010 : 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27   ........ !"#$%&'
020 : 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37   ()*+,-./01234567
030 : 38 39 3A 3B 3C 3D 3E 3F
89:;<=>?

Thank you all.

Bruno Gimenes Pereti.


----- Original Message -----
From: "Erwin Fok" <Erwin () fox-it com>
To: <snort-users () lists sourceforge net>
Sent: Thursday, October 18, 2001 11:36 AM
Subject: RE: [Snort-users] Configure MySQL for multiple snort sensors

Ok!

What i think u need to do is the following:

shell> mysql --user=root mysql
mysql> INSERT INTO user VALUES('localhost','monty',PASSWORD('some_pass'),
                'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y');

mysql> FLUSH PRIVILEGES;

where in localhost u put the IP of the sensor. Also u need to install some
MYSQL files on the sensor wich are needed for Snort to run.

After that it should work. Or it worked for me!

Please report back if this fixed u problem. So we can see all the

solutions

to problems. So other people can also make use of them.

Greetings,

- ---
Erwin Fok   t  015 - 21 21 907
Fox-IT Forensic IT Experts f  015 - 21 21 964
Oude Delft 47 e  erwin () fox-it com
2611 BC  Delft i  www.fox-it.com



-----Oorspronkelijk bericht-----
Van: Joe Pampel [mailto:joe () ardsley com]
Verzonden: woensdag 17 oktober 2001 19:17
Aan: snort-users () lists sourceforge net
Onderwerp: [Snort-users] Configure MySQL for multiple snort sensors


Hi -

I've been trying to get multiple snort sensors to log to a mysql database,
with no luck so far.
I edited the mysql ini file to show the database binding to the machine's

IP

(not localhost)
and using port 3306.  In snort.conf I use the same settings (database at
that IP..)
and I created a user on the DB which takes the form of
"sensorname@192.168.0.1". What I get
when I try to fire up the sensor is an error message which says
"database: my_sql error: Access denied for user: 'sensorname@<ip address>'
(Using password: YES)
Fatal Error. Quitting.

Now I have set passwords, I did create the user in MySQL.. (maybe I did it
wrong?) I went through the Snort
FAQ and found nothing on multiple sensor setups. (ideally I'd like to run

or more of them).

For now the system (snort/mysql/acid) is running under Win32 until I can

get

my 'nix up to speed.
(I'm having trouble with the libpcap install ok?)  It runs great as one
local sensor reporting to localhost,
but now I want *more*..  Anyhow I would imagine the config issue is common
to both
platforms. Any pointers, links to docs, cruel mocking laughter, etc all
appreciated. If I find any
I'll post them to the list.  I'm currently looking at
http://www.mysql.com/doc/A/c/Access_denied.html
and am hoping it will do the trick but am really hoping to find something
snort specific..

TIA,

Joe

btw Snort with the ACID frontend has been a real lifesaver around here for
me. One thing I didn't expect
from it was that it catches odd situations on my network and helps me
proactively fix problems while they
are small.. a nice extra..


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Configure MySQL for multiple snort sensors Joe Pampel (Oct 17)
- <Possible follow-ups>
- RE: Configure MySQL for multiple snort sensors Erwin Fok (Oct 18)
  - ICMP PING speedera Bruno Gimenes Pereti (Oct 18)
    - Re: ICMP PING speedera Chris Green (Oct 18)
    - Re: ICMP PING speedera Bruno Gimenes Pereti (Oct 18)
    - Re: ICMP PING speedera Byron York (Oct 18)
  - Re: Configure MySQL for multiple snort sensors james (Oct 18)
    - Re: Configure MySQL for multiple snort sensors A.J. Weinzettel (Oct 18)
- Re: Configure MySQL for multiple snort sensors roman (Oct 19)