Snort mailing list archives
Re: Access denied for user: '@192.168.0.1' -SNORT-
From: "mike Hughes" <mikehughes013 () hotmail com>
Date: Tue, 11 Feb 2003 12:21:50 -0800
Whats uP..Alright this is where i am right now....I ran this command on my linux machine:
snort-mysql+flexresp -v -c /etc/snort/snort.conf
I get NO error messages: here is the output:
Initializing Output Plugins!
Log directory = /var/log/snort
Initializing Network Interface eth0
--== Initializing Snort ==--
Decoding Ethernet on interface eth0
Parsing Rules file /etc/snort/snort.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Initializing Preprocessors!
Initializing Plug-ins!
http_decode arguments:
Unicode decoding
IIS alternate Unicode decoding
IIS double encoding vuln
Flip backslash to slash
Include additional whitespace separators
Ports to decode http on: 80
rpc_decode arguments:
Ports to decode RPC on: 111 32771
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: ACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
No arguments to stream4_reassemble, setting defaults:
Reassemble client: ACTIVE
Reassemble server: INACTIVE
Reassemble ports: 21 23 25 53 80 143 110 111 513
Reassembly alerts: ACTIVE
Reassembly method: FAVOR_OLD
Conversation Config:
KeepStats: 0
Conv Count: 32000
Timeout : 60
Alert Odd?: 0
Allowed IP Protocols: All
Portscan2 config:
log: /var/log/snort/scan.log
scanners_max: 3200
targets_max: 5000
target_limit: 5
port_limit: 20
timeout: 60
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
Fragment min_ttl: 0
Fragment ttl_limit: 5
Fragment Problems: 0
telnet_decode arguments:
Ports to decode telnet on: 21 23 25 119
ERROR spp_arpspoof /etc/snort/snort.conf(40) => Cannot initialize
arpspoof_detect_host without arpspoof
database: compiled support for ( mysql )
database: configured to use mysql
database: database name = snort
database: user = sensor1
database: host = 192.168.0.69
database: port = 3306
database: sensor name = Sensor1
database: detail level = full
database: sensor id = 1
database: schema version = 106
database: using the "log" facility
1225 Snort rules read...
1225 Option Chains linked into 124 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
Rule application order:
--== Initialization Complete ==--
-*> Snort! <*-
Version 1.9.0 (Build 209)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
===============================================================================
Snort analyzed 3 out of 3 packets, dropping 0(0.000%) packets
Breakdown by protocol: Action Stats:
TCP: 0 (0.000%) ALERTS: 0
UDP: 0 (0.000%) LOGGED: 0
ICMP: 0 (0.000%) PASSED: 0
ARP: 3 (100.000%)
EAPOL: 0 (0.000%)
IPv6: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
===============================================================================
Wireless Stats:
Breakdown by type:
Management Packets: 0 (0.000%)
Control Packets: 0 (0.000%)
Data Packets: 0 (0.000%)
===============================================================================
Fragmentation Stats:
Fragmented IP Packets: 0 (0.000%)
Fragment Trackers: 0
Rebuilt IP Packets: 0
Frag elements used: 0
Discarded(incomplete): 0
Discarded(timeout): 0
Frag2 memory faults: 0
===============================================================================
TCP Stream Reassembly Stats:
TCP Packets Used: 0 (0.000%)
Stream Trackers: 0
Stream flushes: 0
Segments used: 0
Stream4 Memory Faults: 0
===============================================================================
->activation->dynamic->alert->pass->log
02/11-12:17:55.633645 ARP who-has 152.178.7.78 tell 152.178.0.254
02/11-12:17:58.850208 ARP who-has 152.178.7.78 tell 152.178.0.254
02/11-12:18:01.941099 ARP who-has 152.178.36.185 tell 152.178.0.254
------>And then it keeps logging traffic to my screen
Now how can i test it is going in my database on my windows machine what
are some command i can run on mysql on my windows machine(192.168.0.69)
Here is my /etc/snort/snort.conf file: #-------------------------------------------------- # http://www.activeworx.com Snort 1.9.0 Ruleset # IDS Policy Manager Version: 1.3 Build(40) # Current Database Updated -- Feb 10, 2003 2:08 AM #-------------------------------------------------- # ## Variables ## --------- var HOME_NET [192.168.0.0/24] #var HOME_NET $eth0_ADDRESS #var HOME_NET [10.1.1.0/24,192.168.1.0/24] #var HOME_NET any var EXTERNAL_NET any var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS [192.168.0.1/24] var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET #var HTTP_PORTS 8081 var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH /etc/snort # ## Preprocessor Support ## --------------------preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771 preprocessor stream4: detect_scans, disable_evasion_alerts preprocessor stream4_reassemble #preprocessor portscan: $HOME_NET 4 3 portscan.log #preprocessor portscan-ignorehosts: 0.0.0.0preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 32000 preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 5, port_limit 20, timeout 60
preprocessor frag2 preprocessor telnet_decode #preprocessor arpspoof preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 # # ## Output Modules ## --------------output database: log, mysql, dbname=snort user=sensor1 host=192.168.0.69 port=3306 sensor_name=Sensor1 detail=full
#output log_tcpdump: tcpdump.log #output xml: Log, file=/var/log/snortxml #output log_unified: filename snort.log, limit 128 # #output alert_syslog: LOG_AUTH LOG_ALERT #output alert_unified: filename snort.alert, limit 128#output trap_snmp: alert, 7, inform -v 3 -p 999 -l authPriv -u snortUser -x DES -X "" -a SHA -A "" myTrapListener
#
## Custom Rules
## ------------
#ruletype suspicious
#{
# type log
# output log_tcpdump: suspicious.log
#}
#ruletype redalert
#{
# type alert
# output alert_syslog: LOG_AUTH LOG_ALERT
# output database: log, mysql, user=snort dbname=snort host=localhost
#}
#
## Custom Lines
## ------------
# output database: alert, postgresql, user=snort dbname=snort
# output database: log, unixodbc, user=snort dbname=snort
# output database: log, mssql, dbname=snort user=snort password=test
#
## Include Files
## -------------
include classification.config
#
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
#include $RULE_PATH/web-attacks.rules
#include $RULE_PATH/backdoor.rules
#include $RULE_PATH/shellcode.rules
#include $RULE_PATH/policy.rules
#include $RULE_PATH/porn.rules
#include $RULE_PATH/info.rules
#include $RULE_PATH/icmp-info.rules
#include $RULE_PATH/virus.rules
#include $RULE_PATH/chat.rules
#include $RULE_PATH/multimedia.rules
#include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules
And just soo you know i have followed the directions from:
http://www.sans.org/rr/intrusion/practical_guide.php
And i have set everything up like it said but its not logging to my WINDOWS
MYSQL database how can i test to see whats wrong and how can i test and
makesure its really not logging on the database is there COMMANDS i can run
on MYSQL(windows) I can post any other info you may need.
Thanks Guys! _________________________________________________________________MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Access denied for user: '@192.168.0.1' -SNORT-, (continued)
- RE: Access denied for user: '@192.168.0.1' -SNORT- Michael Steele (Feb 10)
- ACID - Which Database? Yaakov Yehudi (Feb 11)
- Re: ACID - Which Database? Ken Gunderson (Feb 11)
- Re: ACID - Which Database? Paul B. Poh (Feb 11)
- Re: ACID - Which Database? Yaakov Yehudi (Feb 12)
- RE: Access denied for user: '@192.168.0.1' -SNORT- Kenneth G. Arnold (Feb 11)
- Re: RE: Access denied for user: '@192.168.0.1' -SNORT- Erek Adams (Feb 11)
- RE: Access denied for user: '@192.168.0.1' -SNORT- Erek Adams (Feb 12)