Snort mailing list archives

RE: Access denied for user: '@192.168.0.1' -SNORT-

From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Tue, 11 Feb 2003 16:36:22 -0500

I too thought that the '-v' parameter might override the output plugins in
snort.conf.  But when I quickly checked the ParseCmdLine() function in the
1.9.0 source, I didn't see pv.alert_cmd_override being set to '1' for the
'-v' parameter -- the only thing set is 'pv.verbose_flag = 1'.  So I figured
that 'v'erbose mode didn't necessarily disable the output plugins.  

Also, usually when the output plugins are overridden, Snort displays a
message to the console.  

Is this a BUG?! 

- Christopher


-----Original Message-----
From: Erek Adams [mailto:erek () snort org]
Sent: Tuesday, February 11, 2003 4:13 PM
To: mike Hughes
Cc: snort-users () lists sourceforge net; CLuther () Xybernaut com;
bkarnold () cbu edu
Subject: Re: [Snort-users] RE: Access denied for user: '@192.168.0.1'
-SNORT-


On Tue, 11 Feb 2003, mike Hughes wrote:

Whats uP..

Alright this is where i am right now....I ran this command on my linux
machine:

snort-mysql+flexresp -v -c /etc/snort/snort.conf

I get NO error messages: here is the output:


[...snip...]

Wrong.  You do get an error message.

ERROR spp_arpspoof /etc/snort/snort.conf(40) => Cannot initialize
arpspoof_detect_host without arpspoof


But that's not your problem.  See below.

[...snip...]

Snort analyzed 3 out of 3 packets, dropping 0(0.000%) packets

Breakdown by protocol:                Action Stats:
   TCP: 0          (0.000%)          ALERTS: 0
   UDP: 0          (0.000%)          LOGGED: 0
  ICMP: 0          (0.000%)          PASSED: 0
   ARP: 3          (100.000%)
EAPOL: 0          (0.000%)
  IPv6: 0          (0.000%)
   IPX: 0          (0.000%)
OTHER: 0          (0.000%)
DISCARD: 0          (0.000%)


[...snip...]

02/11-12:17:55.633645 ARP who-has 152.178.7.78 tell 152.178.0.254

02/11-12:17:58.850208 ARP who-has 152.178.7.78 tell 152.178.0.254

02/11-12:18:01.941099 ARP who-has 152.178.36.185 tell 152.178.0.254

------>And then it keeps logging traffic to my screen


Right.  Snort did exactly what it was supposed to.  It saw three arp
packets and displayed them to the screen.  No problem.

Now how  can i test it is going in my database on my windows machine what
are some command i can run on mysql on my windows machine(192.168.0.69)


[...snip...]

If you'll check the docs you'll find a statement that says "Command line
options override snort.conf settings."  Since you told Snort to
display/alert to the stdout device with "-v" it's skipping your ouput db
line in snort.conf.

Enable the ping rules and then login to a route-server
(route-server.exodus.net) and ping your box.  "Bing"  Alert generated and
sent to the DB--If you've setup the DB correctly.

Hope that helps!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

Current thread:

Re: ACID - Which Database?, (continued)
- - - Re: ACID - Which Database? Yaakov Yehudi (Feb 12)
- RE: Access denied for user: '@192.168.0.1' -SNORT- mike Hughes (Feb 10)
- RE: Access denied for user: '@192.168.0.1' -SNORT- mike Hughes (Feb 10)
- Re: Access denied for user: '@192.168.0.1' -SNORT- mike Hughes (Feb 10)
- RE: Access denied for user: '@192.168.0.1' -SNORT- L. Christopher Luther (Feb 11)
- RE: Access denied for user: '@192.168.0.1' -SNORT- L. Christopher Luther (Feb 11)
- Re: Access denied for user: '@192.168.0.1' -SNORT- mike Hughes (Feb 11)
- RE: Access denied for user: '@192.168.0.1' -SNORT- mike Hughes (Feb 11)
  - RE: Access denied for user: '@192.168.0.1' -SNORT- Kenneth G. Arnold (Feb 11)
  - Re: RE: Access denied for user: '@192.168.0.1' -SNORT- Erek Adams (Feb 11)
- RE: Access denied for user: '@192.168.0.1' -SNORT- L. Christopher Luther (Feb 11)
  - RE: Access denied for user: '@192.168.0.1' -SNORT- Erek Adams (Feb 12)
- RE: Access denied for user: '@192.168.0.1' -SNORT- L. Christopher Luther (Feb 11)
- Re: Access denied for user: '@192.168.0.1' -SNORT- mike Hughes (Feb 12)