RE: Problems starting Snort 1.9.0 on RH 8.0

["Scott, Joshua" <Joshua.Scott () Jacobs com>]

Did you make sure that the table structure exists properly and that the
created user has the necessary permissions?
 
 
Joshua Scott
Security Systems Analyst, CISSP
626-568-7024

-----Original Message-----
From: Sawall, Christopher L [mailto:CSawall () ameren com] 
Sent: Monday, November 04, 2002 1:02 PM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] Problems starting Snort 1.9.0 on RH 8.0




I am having trouble getting Snort to start.  Any help would be greatly
appreciated. 

Config: 
RedHat 8.0 
Snort 1.9.0 
MySQL 3.23.53a 

I created a user with all the rights to try and make sure that it would
work: 
mysql -u root -p{password} snort 
mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to
snort@localhost; 

I checked the database and made sure that the "sensor" table exists. 

I try to start Snort: 
/etc/snort# snort -d -c ./snort.conf 

The following is the error I am receiving: 

Initializing Output Plugins! 
Log directory = /var/log/snort 

Initializing Network Interface eth0 

        --== Initializing Snort ==-- 
Decoding Ethernet on interface eth0 
Initializing Preprocessors! 
Initializing Plug-ins! 
Parsing Rules file ./snort.conf 

+++++++++++++++++++++++++++++++++++++++++++++++++++ 
Initializing rule chains... 
No arguments to frag2 directive, setting defaults to: 
    Fragment timeout: 60 seconds 
    Fragment memory cap: 4194304 bytes 
    Fragment min_ttl:   0 
    Fragment ttl_limit: 5 
    Fragment Problems: 0 
Stream4 config: 
    Stateful inspection: ACTIVE 
    Session statistics: INACTIVE 
    Session timeout: 30 seconds 
    Session memory cap: 8388608 bytes 
    State alerts: INACTIVE 
    Evasion alerts: INACTIVE 
    Scan alerts: ACTIVE 
    Log Flushed Streams: INACTIVE 
    MinTTL: 1 
    TTL Limit: 5 
    Async Link: 0 
No arguments to stream4_reassemble, setting defaults: 
     Reassemble client: ACTIVE 
     Reassemble server: INACTIVE 
     Reassemble ports: 21 23 25 53 80 143 110 111 513 
     Reassembly alerts: ACTIVE 
     Reassembly method: FAVOR_OLD 
http_decode arguments: 
    Unicode decoding 
    IIS alternate Unicode decoding 
    IIS double encoding vuln 
    Flip backslash to slash 
    Include additional whitespace separators 
    Ports to decode http on: 80 
rpc_decode arguments: 
    Ports to decode RPC on: 111 32771 
telnet_decode arguments: 
    Ports to decode telnet on: 21 23 25 119 
Conversation Config: 
   KeepStats: 0 
   Conv Count: 32000 
   Timeout   : 60 
   Alert Odd?: 0 
   Allowed IP Protocols:  All 

Portscan2 config: 
    log: /var/log/snort/scan.log 
    scanners_max: 3200 
    targets_max: 5000 
    target_limit: 5 
    port_limit: 20 
    timeout: 60 
database: compiled support for ( mysql ) 
database: configured to use mysql 
database:          user = snort 
database: password is set 
database: database name = snort 
database:          host = localhost 
database:   sensor name = 10.70.2.252 
database: mysql_error: Duplicate entry '0' for key 1 
SQL=INSERT INTO sensor (hostname, interface, detail, encoding, last_cid)
VALUES ('10.70.2.252','eth0','1','0', '0') 
database: Problem obtaining SENSOR ID (sid) from snort->sensor 

 When this plugin starts, a SELECT query is run to find the sensor id for
the 
 currently running sensor. If the sensor id is not found, the plugin will
run 
 an INSERT query to insert the proper data and generate a new sensor id.
Then a 
 SELECT query is run to get the newly allocated sensor id. If that fails
then 
 this error message is generated. 

 Some possible causes for this error are: 
  * the user does not have proper INSERT or SELECT privileges 
  * the sensor table does not exist 

 If you are _absolutely_ certain that you have the proper privileges set and

 that your database structure is built properly please let me know if you 
 continue to get this error. You can contact me at (roman () danyliw com). 

Fatal Error, Quitting.. 

Thanks, 
Chris 


======================================================================================
NOTICE - This communication may contain confidential and privileged information that is for the sole use of the 
intended recipient. Any viewing, copying or distribution of, or reliance on this message by unintended recipients is 
strictly prohibited. If you have received this message in error, please notify us immediately by replying to the 
message and deleting it from your computer.

==============================================================================