Snort mailing list archives

Access denied for user: '@192.168.0.1' -SNORT-

From: "mike Hughes" <mikehughes013 () hotmail com>
Date: Mon, 10 Feb 2003 12:46:51 -0800

Whats up guys...i am folowing this as my refernce:
http://www.sans.org/rr/intrusion/practical_guide.php

Im on the second to last step and am stuck and cant figure it out...Im anoob to mysql tooo im getting this error:database: mysql_error: Access denied for user: '@192.168.0.1' to database'snort'

Fatal Error, Quitting..

here is the whole error:

192.168.0.69 is windows machine (whereim managing snort)
192.168.0.1 is my LAN interface eth1
eth0 is my internet interface
snort-mysql+flexresp v c /etc/snort/snort.conf

Initializing Output Plugins!
Log directory = /var/log/snort

Initializing Network Interface eth0 #<-----this is my INTERNET interfaceeth0 and eth1 is my ####################### lan interface


--== Initializing Snort ==--
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf

++++++++++++++++++++++++++++++++++++++++++++++++++
+
Initializing rule chains...
http_decode arguments:
Unicode decoding
IIS alternate Unicode decoding
IIS double encoding vuln
Flip backslash to slash
Include additional whitespace separators
Ports to decode http on: 80
rpc_decode arguments:
Ports to decode RPC on: 111 32771
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: ACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
No arguments to stream4_reassemble, setting defaults:
Reassemble client: ACTIVE
Reassemble server: INACTIVE
Reassemble ports: 21 23 25 53 80 143 110 111 513
Reassembly alerts: ACTIVE
Reassembly method: FAVOR_OLD
Conversation Config:
KeepStats: 0
Conv Count: 32000
Timeout : 60
Alert Odd?: 0
Allowed IP Protocols: All

Portscan2 config:
log: /var/log/snort/scan.log
scanners_max: 3200
targets_max: 5000
target_limit: 5
port_limit: 20
timeout: 60
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
Fragment min_ttl: 0
Fragment ttl_limit: 5
Fragment Problems: 0
telnet_decode arguments:
Ports to decode telnet on: 21 23 25 119

ERROR spp_arpspoof /etc/snort/snort.conf(39) => Cannot initializearpspoof_detect_host without arpspoof

database: compiled support for ( mysql )
database: configured to use mysql
database: database name = snort
database: user = sensor1
database: host = 192.168.0.69
database: port = 3306
database: sensor name = Sensor1
database: detail level = full

database: mysql_error: Access denied for user: '@192.168.0.1' to database'snort'

Fatal Error, Quitting..

How can i debug this and try to figure out what setting is worng???And howdo i make sure my SQL setting are right im not familiar with the commandsany help on how i can try to debug this??? Here is my /etc/snort.conffile:

#--------------------------------------------------
# http://www.activeworx.com Snort 1.9.0 Ruleset
# IDS Policy Manager Version: 1.3 Build(40)
# Current Database Updated -- Feb 10, 2003 2:08 AM
#--------------------------------------------------
#
## Variables
## ---------
var HOME_NET [192.168.0.0/24]
#var HOME_NET $eth0_ADDRESS
#var HOME_NET [10.1.1.0/24,192.168.1.0/24]
#var HOME_NET any
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS [192.168.0.1/24]
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
#var HTTP_PORTS 8081
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521

var AIM_SERVERS[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]

var RULE_PATH /etc/snort
#
## Preprocessor Support
## --------------------

preprocessor http_decode: 80 unicode iis_alt_unicode double_encodeiis_flip_slash full_whitespace

preprocessor rpc_decode: 111 32771
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble
#preprocessor portscan: $HOME_NET 4 3 portscan.log
#preprocessor portscan-ignorehosts: 0.0.0.0

preprocessor conversation: allowed_ip_protocols all, timeout 60,max_conversations 32000preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 5,port_limit 20, timeout 60

preprocessor frag2
preprocessor telnet_decode
#preprocessor arpspoof
preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
#
#
## Output Modules
## --------------

output database: log, mysql, dbname=snort user=sensor1 host=192.168.0.69port=3306 sensor_name=Sensor1 detail=full

#output log_tcpdump: tcpdump.log
#output xml: Log, file=/var/log/snortxml
#output log_unified: filename snort.log, limit 128
#
#output alert_syslog: LOG_AUTH LOG_ALERT
#output alert_unified: filename snort.alert, limit 128

#output trap_snmp: alert, 7, inform -v 3 -p 999 -l authPriv -u snortUser -xDES -X "" -a SHA -A "" myTrapListener

#
## Custom Rules
## ------------
#ruletype suspicious
#{
# type log
# output log_tcpdump: suspicious.log
#}
#ruletype redalert
#{
# type alert
# output alert_syslog: LOG_AUTH LOG_ALERT
# output database: log, mysql, user=snort dbname=snort host=localhost
#}
#
## Custom Lines
## ------------
# output database: alert, postgresql, user=snort dbname=snort
# output database: log, unixodbc, user=snort dbname=snort
# output database: log, mssql, dbname=snort user=snort password=test
#
## Include Files
## -------------
include classification.config
#
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
#include $RULE_PATH/web-attacks.rules
#include $RULE_PATH/backdoor.rules
#include $RULE_PATH/shellcode.rules
#include $RULE_PATH/policy.rules
#include $RULE_PATH/porn.rules
#include $RULE_PATH/info.rules
#include $RULE_PATH/icmp-info.rules
#include $RULE_PATH/virus.rules
#include $RULE_PATH/chat.rules
#include $RULE_PATH/multimedia.rules
#include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules


And my snort file on my windows machine is:
Here is my the conf file on my WINDOWS MACHINE:
#--------------------------------------------------
# http://www.snort.org Snort 1.9.0 Ruleset
# Contact: snort-sigs () lists sourceforge net
#--------------------------------------------------
# NOTE:This ruleset only works for 1.9.0 and later
#--------------------------------------------------
# $Id: snort.conf,v 1.110 2002/08/14 03:17:58 chrisgreen Exp $
#
##################################################
#
# This file contains a sample snort configuration.
# You can take the following steps to create your
# own custom configuration:
#
# 1) Set the network variables for your network
# 2) Configure preprocessors
# 3) Configure output plugins
# 4) Customize your rule set
#
##################################################
#
# Step #1: Set the network variables:
#
# You must change the following variables to reflect
# your local network. The variable is currently
# setup for an RFC 1918 address space.
#
# You can specify it explicitly as:
#
# var HOME_NET 10.1.1.0/24
#
# or use global variable $<interfacename>_ADDRESS
# which will be always initialized to IP address and
# netmask of the network interface which you run
# snort at.
#
# var HOME_NET $eth0_ADDRESS
#
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
#
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
# or you can specify the variable to be any IP address
# like this:

var HOME_NET any

# Set up the external network addresses as well.
# A good start may be "any"

var EXTERNAL_NET any

# Configure your server lists. This allows snort to only look for attacks
# to systems that have a service up. Why look for HTTP attacks if you are

# not running a web server? This allows quick filtering based on IPaddresses

# These configurations MUST follow the same configuration scheme as defined
# above for $HOME_NET.

# List of DNS servers on your network
var DNS_SERVERS $HOME_NET

# List of SMTP servers on your network
var SMTP_SERVERS $HOME_NET

# List of web servers on your network
var HTTP_SERVERS $HOME_NET

# List of sql servers on your network
var SQL_SERVERS $HOME_NET

# List of telnet servers on your network
var TELNET_SERVERS $HOME_NET

# Configure your service ports. This allows snort to look for attacks
# destined to a specific application only on the ports that application
# runs on. For example, if you run a web server on port 8081, set your
# HTTP_PORTS variable like this:
#
# var HTTP_PORTS 8081
#

# Port lists must either be continuous [eg 80:8080], or a single port [eg80].

# We will adding support for a real list of ports in the future.

# Ports you run web servers on
var HTTP_PORTS 80

# Ports you want to look for SHELLCODE on.
var SHELLCODE_PORTS !80

# Ports you do oracle attacks on
var ORACLE_PORTS 1521

# other variables
#
# AIM servers. AOL has a habit of adding new AIM servers, so instead of
# modifying the signatures when they do, we add them to this list of
# servers.

var AIM_SERVERS[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]


# Path to your rules files (this can be a relative path)
var RULE_PATH ../rules

##################################################
#
# Step #2: Configure preprocessors
#
# General configuration for preprocessors is of
# the form
# preprocessor <name_of_processor>: <configuration_options>

# frag2: IP defragmentation support
# -------------------------------

# This preprocessor performs IP defragmentation. This plugin will alsodetect

# people launching fragmentation attacks (usually DoS) against hosts. No
# arguments loads the default configuration of the preprocessor, which is a
# 60 second timeout and a 4MB fragment buffer.

# The following (comma delimited) options are available for frag2
# timeout [seconds] - sets the number of [seconds] than an unfinished
# fragment will be kept around waiting for completion,
# if this time expires the fragment will be flushed
# memcap [bytes] - limit frag2 memory usage to [number] bytes
# (default: 4194304)
#
# min_ttl [number] - minimum ttl to accept
#
# ttl_limit [number] - difference of ttl to accept without alerting
# will cause false positves with router flap
#
# Frag2 uses Generator ID 113 and uses the following SIDS
# for that GID:
# SID Event description
# ----- -------------------
# 1 Oversized fragment (reassembled frag > 64k bytes)
# 2 Teardrop-type attack

preprocessor frag2

# stream4: stateful inspection/stream reassembly for Snort
#----------------------------------------------------------------------
# Use in concert with the -z [all|est] command line switch to defeat
# stick/snot against TCP rules. Also performs full TCP stream
# reassembly, stateful inspection of TCP streams, etc. Can statefully
# detect various portscan types, fingerprinting, ECN, etc.

# stateful inspection directive
# no arguments loads the defaults (timeout 30, memcap 8388608)
# options (options are comma delimited):
# detect_scans - stream4 will detect stealth portscans and generate alerts
# when it sees them when this option is set
# detect_state_problems - detect TCP state problems, this tends to be very
# noisy because there are a lot of crappy ip stack
# implementations out there
#
# disable_evasion_alerts - turn off the possibly noisy mitigation of
# overlapping sequences.
#
#
# min_ttl [number] - set a minium ttl that snort will accept to
# stream reassembly
#
# ttl_limit [number] - differential of the initial ttl on a session versus
# the normal that someone may be playing games.
# Routing flap may cause lots of false positives.
#
# keepstats [machine|binary] - keep session statistics, add "machine" to
# get them in a flat format for machine reading, add
# "binary" to get them in a unified binary output
# format
# noinspect - turn off stateful inspection only
# timeout [number] - set the session timeout counter to [number] seconds,
# default is 30 seconds
# memcap [number] - limit stream4 memory usage to [number] bytes
# log_flushed_streams - if an event is detected on a stream this option will
# cause all packets that are stored in the stream4
# packet buffers to be flushed to disk. This only
# works when logging in pcap mode!
#
# Stream4 uses Generator ID 111 and uses the following SIDS
# for that GID:
# SID Event description
# ----- -------------------
# 1 Stealth activity
# 2 Evasive RST packet
# 3 Evasive TCP packet retransmission
# 4 TCP Window violation
# 5 Data on SYN packet
# 6 Stealth scan: full XMAS
# 7 Stealth scan: SYN-ACK-PSH-URG
# 8 Stealth scan: FIN scan
# 9 Stealth scan: NULL scan
# 10 Stealth scan: NMAP XMAS scan
# 11 Stealth scan: Vecna scan
# 12 Stealth scan: NMAP fingerprint scan stateful detect
# 13 Stealth scan: SYN-FIN scan
# 14 TCP forward overlap

preprocessor stream4: detect_scans, disable_evasion_alerts

# tcp stream reassembly directive
# no arguments loads the default configuration
# Only reassemble the client,
# Only reassemble the default list of ports (See below),
# Give alerts for "bad" streams
#
# Available options (comma delimited):
# clientonly - reassemble traffic for the client side of a connection only
# serveronly - reassemble traffic for the server side of a connection only
# both - reassemble both sides of a session
# noalerts - turn off alerts from the stream reassembly stage of stream4
# ports [list] - use the space separated list of ports in [list], "all"
# will turn on reassembly for all ports, "default" will turn
# on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111
# and 513

preprocessor stream4_reassemble

# http_decode: normalize HTTP requests
# ------------------------------------
# http_decode normalizes HTTP requests from remote
# machines by converting any %XX character
# substitutions to their ASCII equivalent. This is
# very useful for doing things like defeating hostile
# attackers trying to stealth themselves from IDSs by
# mixing these substitutions in with the request.
# Specify the port numbers you want it to analyze as arguments.
#
# Major code cleanups thanks to rfp
#
# unicode - normalize unicode
# iis_alt_unicode - %u encoding from iis
# double_encode - alert on possible double encodings
# iis_flip_slash - normalize \ as /
# full_whitespace - treat \t as whitespace ( for apache )
#
# for that GID:
# SID Event description
# ----- -------------------
# 1 UNICODE attack
# 2 NULL byte attack

preprocessor http_decode: 80 unicode iis_alt_unicode double_encodeiis_flip_slash full_whitespace


# rpc_decode: normalize RPC traffic
# ---------------------------------
# RPC may be sent in alternate encodings besides the usual
# 4-byte encoding that is used by default. This preprocessor
# normalized RPC traffic in much the same way as the http_decode
# preprocessor. This plugin takes the ports numbers that RPC
# services are running on as arguments.
# The RPC decode preprocessor uses generator ID 106 and does not
# generate any SIDs at this time.

preprocessor rpc_decode: 111 32771

# bo: Back Orifice detector
# -------------------------
# Detects Back Orifice traffic on the network. This preprocessor
# uses the Back Orifice "encryption" algorithm to search for
# traffic conforming to the Back Orifice protocol (not BO2K).
# This preprocessor can take two arguments. The first is "-nobrute"
# which turns off the plugin's brute forcing routine (brute forces
# the key space of the protocol to find BO traffic). The second
# argument that can be passed to the routine is a number to use
# as the default key when trying to decrypt the traffic. The
# default value is 31337 (just like BO). Be aware that turning on
# the brute forcing option runs the risk of impacting the overall
# performance of Snort, you've been warned...
#
# The Back Orifice detector uses Generator ID 105 and uses the
# following SIDS for that GID:
# SID Event description
# ----- -------------------
# 1 Back Orifice traffic detected

preprocessor bo: -nobrute

# telnet_decode: Telnet negotiation string normalizer
# ---------------------------------------------------
# This preprocessor "normalizes" telnet negotiation strings from
# telnet and ftp traffic. It works in much the same way as the
# http_decode preprocessor, searching for traffic that breaks up
# the normal data stream of a protocol and replacing it with
# a normalized representation of that traffic so that the "content"
# pattern matching keyword can work without requiring modifications.
# This preprocessor requires no arguments.
# Portscan uses Generator ID 109 and does not generate any SID currently.

preprocessor telnet_decode

# Portscan: detect a variety of portscans
# ---------------------------------------
# portscan preprocessor by Patrick Mullen <p_mullen () linuxrc net>
# This preprocessor detects UDP packets or TCP SYN packets going to
# four different ports in less than three seconds. "Stealth" TCP
# packets are always detected, regardless of these settings.
# Portscan uses Generator ID 100 and uses the following SIDS for that GID:
# SID Event description
# ----- -------------------
# 1 Portscan detect
# 2 Inter-scan info
# 3 Portscan End

# preprocessor portscan: $HOME_NET 4 3 portscan.log

# Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from
# specific networks or hosts to reduce false alerts. It is typical
# to see many false alerts from DNS servers so you may want to
# add your DNS servers here. You can all multiple hosts/networks
# in a whitespace-delimited list.
#
#preprocessor portscan-ignorehosts: 0.0.0.0

# arpspoof
#----------------------------------------
# Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
# unicast ARP requests, and specific ARP mapping monitoring. To make use

# of this preprocessor you must specify the IP and hardware address of hostson # the same layer 2 segment as you. Specify one host IP MAC combo perline.

# Also takes a "-unicast" option to turn on unicast ARP request detection.
# Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:
# SID Event description
# ----- -------------------
# 1 Unicast ARP request
# 2 Etherframe ARP mismatch (src)
# 3 Etherframe ARP mismatch (dst)
# 4 ARP cache overwrite attack

#preprocessor arpspoof
#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00

# ASN1 Decode
#-----------------------------------------
# This is an experimental preprocessor. ASN.1 decoder and analysis plugin
# from Andrew R. Baker. This preprocessor will detect abuses of the ASN.1
# protocol that higher level protocols (like SSL, SNMP, x.509, etc) rely on.
# The ASN.1 decoder uses Generator ID 115 and uses the following SIDs for
# that GID:
# SID Event description
# ----- -------------------
# 1 Indefinite length
# 2 Invalid length
# 3 Oversized item
# 4 ASN.1 specification violation
# 5 Dataum bad length

preprocessor asn1_decode

# Fnord
#-----------------------------------------
# This is an experimental preprocessor. Polymorphic shellcode analyzer and
# detector by Dragos Ruiu. This preprocessor will watch traffic for

# polymorphic NOP-type sleds to defeat tools like ADMutate. The Fnorddetector

# uses Generator ID 114 and the following SIDs:
# SID Event description
# ----- -------------------
# 1 NOP-sled detected

# preprocessor fnord

# Conversation
#------------------------------------------
# This preprocessor tracks conversations for tcp, udp and icmp traffic. It
# is a prerequisite for running portscan2.
#
# allowed_ip_protcols 1 6 17
# list of allowed ip protcols ( defaults to any )
#
# timeout [num]
# conversation timeout ( defaults to 60 )
#
#
# max_conversations [num]
# number of conversations to support at once (defaults to 65335)
#
#
# alert_odd_protocols
# alert on protocols not listed in allowed_ip_protocols

preprocessor conversation: allowed_ip_protocols all, timeout 60,max_conversations 32000


# Portscan2
#-------------------------------------------
# Portscan 2, detect portscans in a new and exciting way.
#
# Available options:
# scanners_max [num]
# targets_max [num]
# target_limit [num]
# port_limit [num]
# timeout [num]
# log [logdir]

preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 5,port_limit 20, timeout 60


# Experimental Perf stats
# -----------------------
# No docs. Highly subject to change.
#
# preprocessor perfmonitor: console flow events time 10

##################################################
##################
# Step #3: Configure output plugins
#
# Uncomment and configure the output plugins you decide to use.
# General configuration for output plugins is of the form:
#
# output <name_of_plugin>: <configuration_options>
#
# alert_syslog: log alerts to syslog
# ----------------------------------
# Use one or more syslog facilities as arguments
#
# output alert_syslog: LOG_AUTH LOG_ALERT

# log_tcpdump: log packets in binary tcpdump format
# -------------------------------------------------
# The only argument is the output file name.
#
# output log_tcpdump: tcpdump.log

# database: log to a variety of databases
# ---------------------------------------
# See the README.database file for more information about configuring
# and using this plugin.
#

# output database: log, mysql, user=root password=test dbname=dbhost=localhost

# output database: alert, postgresql, user=snort dbname=snort
# output database: log, unixodbc, user=snort dbname=snort
# output database: log, mssql, dbname=snort user=snort password=test

# xml: xml logging
# ----------------
# See the README.xml file for more information about configuring
# and using this plugin.
#
# output xml: log, file=/var/log/snortxml

# unified: Snort unified binary format alerting and logging
# -------------------------------------------------------------
# The unified output plugin provides two new formats for logging
# and generating alerts from Snort, the "unified" format. The
# unified format is a straight binary format for logging data
# out of Snort that is designed to be fast and efficient. Used
# with barnyard (the new alert/log processor), most of the overhead
# for logging and alerting to various slow storage mechanisms
# such as databases or the network can now be avoided.
#
# Check out the spo_unified.h file for the data formats.
#
# Two arguments are supported.
# filename - base filename to write to (current time_t is appended)
# limit - maximum size of spool file in MB (default: 128)
#
# output alert_unified: filename snort.alert, limit 128
# output log_unified: filename snort.log, limit 128

# trap_snmp: SNMP alerting for Snort
# -------------------------------------------------------------
# Read the README.SNMP file for more information on enabling and using this
# plug-in.
#
#

#The trap_snmp plugin accepts the following notification options
# [c],[p[m|s]]
# where,
# c : Generate compact notifications. (Saves on bandwidth by
# not reporting MOs for which values are unknown, not
# available or, not applicable). By default this option is reset.
# p : Generate a print of the invariant part of the offending packet.
# This can be used to track the packet across the Internet.
# By default this option is reset.
# m : Use the MD5 algorithm to generate the packet print.
# By default this algorithm is used.
# s : Use the SHA1 algorithm to generate the packet print.
#
# The trap_snmp plugin requires several parameters
# The parameters depend on the Snmpversion that is used (specified)
# For the SNMPv2c case the parameters will be as follows
# alert, <sensorID>, [NotificationOptions] ,
# {trap|inform} -v <SnmpVersion> -p <portNumber> <hostName> <community>
#
# For SNMPv2c traps with MD5 digest based packetPrint generation
#
# output trap_snmp: alert, 7, cpm, trap -v 2c myTrapListener myCommunity
#
# For SNMPv2c informs with the 'compact' notification option
#
#output trap_snmp: alert, 7, c, inform -v 2c myTrapListener myCommunity
#
#
# For SNMPv3 traps with
# security name = snortUser
# security level = authentication and privacy
# authentication parameters :
# authentication protocol = SHA ,
# authentication pass phrase = SnortAuthPassword
# privacy (encryption) parameters
# privacy protocol = DES,
# privacy pass phrase = SnortPrivPassword
#

#output trap_snmp: alert, 7, trap -v 3 -u snortUser -l authPriv -a SHA -ASnortAuthPassword -x DES -X SnortPrivPassword myTrapListener

#For SNMPv3 informs with authentication and encryption

#output trap_snmp: alert, 7, inform -v 3 -u snortUser -l authPriv -a SHA -ASnortAuthPassword -x DES -X SnortPrivPassword myTrapListener


# You can optionally define new rule types and associate one or
# more output plugins specifically to that type.
#
# This example will create a type that will log to just tcpdump.
# ruletype suspicious
# {
# type log
# output log_tcpdump: suspicious.log
# }
#
# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
# suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server"
#
# This example will create a rule type that will log to syslog
# and a mysql database.
# ruletype redalert
# {
# type alert
# output alert_syslog: LOG_AUTH LOG_ALERT
# output database: log, mysql, user=snort dbname=snort host=localhost
# }
#
# EXAMPLE RULE FOR REDALERT RULETYPE

# redalert $HOME_NET any -> $EXTERNAL_NET 31337 (msg:"Someone is beingLEET"; \

# flags:A+

#
# Include classification & priority settings
#

include classification.config

#
# Include reference systems
#

include reference.config

##################################################
##################
# Step #4: Customize your rule set
#
# Up to date snort rules are available at http://www.snort.org
#
# The snort web site has documentation about how to write your own
# custom snort rules.
#
# The rules included with this distribution generate alerts based on
# on suspicious activity. Depending on your network environment, your
# security policies, and what you consider to be suspicious, some of
# these rules may either generate false positives ore may be detecting
# activity you consider to be acceptable; therefore, you are
# encouraged to comment out rules that are not applicable in your
# environment.
#
# Note that using all of the rules at the same time may lead to
# serious packet loss on slower machines. YMMV, use with caution,
# standard disclaimers apply.
#
# The following individuals contributed many of rules in this
# distribution.
#
# Credits:
# Ron Gula <rgula () securitywizards com> of Network Security Wizards
# Max Vision <vision () whitehats com>
# Martin Markgraf <martin () mail du gtn com>
# Fyodor Yarochkin <fygrave () tigerteam net>
# Nick Rogness <nick () rapidnet com>
# Jim Forster <jforster () rapidnet com>
# Scott McIntyre <scott () whoi edu>
# Tom Vandepoel <Tom.Vandepoel () ubizen com>
# Brian Caswell <bmc () snort org>
# Zeno <admin () cgisecurity com>
# Ryan Russell <ryan () securityfocus com>
#
#=========================================
# Include all relevant rulesets here
#
# shellcode, policy, info, backdoor, and virus rulesets are
# disabled by default. These require tuning and maintance.
# Please read the included specific file for more information.
#=========================================

include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules

include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules

include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
# include $RULE_PATH/web-attacks.rules
# include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
# include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules

When i created the sensor on the windows mysql i named itsensor1@172.75.76.154 <----i name dit my eth0 interface my internet ipaddress was that suppose to be there or was it suppose to me the ip of myLAN interface????






_________________________________________________________________

STOP MORE SPAM with the new MSN 8 and get 2 months FREE*http://join.msn.com/?page=features/junkmail




-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Access denied for user: '@192.168.0.1' -SNORT- mike Hughes (Feb 10)
- Re: Access denied for user: '@192.168.0.1' -SNORT- Kenneth G. Arnold (Feb 10)
- <Possible follow-ups>
- Re: Access denied for user: '@192.168.0.1' -SNORT- mike Hughes (Feb 10)
  - Re: Access denied for user: '@192.168.0.1' -SNORT- twig les (Feb 10)
- RE: Access denied for user: '@192.168.0.1' -SNORT- Schmehl, Paul L (Feb 10)
- Re: Access denied for user: '@192.168.0.1' -SNORT- mike Hughes (Feb 10)
  - Re: Access denied for user: '@192.168.0.1' -SNORT- twig les (Feb 10)
  - Re: Access denied for user: '@192.168.0.1' -SNORT- Kenneth G. Arnold (Feb 10)
    - RE: Access denied for user: '@192.168.0.1' -SNORT- Michael Steele (Feb 10)
    - ACID - Which Database? Yaakov Yehudi (Feb 11)
    - Re: ACID - Which Database? Ken Gunderson (Feb 11)

(Thread continues...)