RE: WinXP-1.9-MySQL-2 sensors, 1 collector and the 1067 error

["Michael Steele" <michaels () silicondefense com>]

Ty,

This is an excerpt out of my documentation. I would give you the link, but our website has been change to a new site 
and not all the links and files are accessible right now. This is the meat of what you need. These are only partial 
docs and were created based on the initial master sensor being setup using my docs for setting up a master sensor for 
windows.

CONFIGURING THE MASTER SENSOR 
 
 Note: These modifications will need to be done on the Master sensor. 
 
 Modifying the MySQL database: 
 
 ● Right click on the MySQL Admin module in the system tray and select 'Show Me' 
 
 ● Select the 'my.ini Setup' tab 
 
 Original: bind-address=127.0.0.1 
 Change: (completely remove line) 
 
 ● Click the 'Save Modification' button, click 'Yes', and click 'OK'. 
 
 Creating a remote Slave sensor database user: 
 
 From a command prompt Navigate to the 'D:\Applications\mysql\bin' folder. 
 
 ● At the command prompt '>' type: mysql -u root -p 
 
 Note: At the password prompt enter the password of the pre-configured user 'root'. 
 
 ● Note: It is IMPERATIVE that a semicolon is added as shown in the commands below. MySQL relies on this semicolon as a 
line terminator. 
 
 ● At the 'mysql>' prompt type: grant INSERT,SELECT on snort.* to snort1@HOST_NAME identified by "123"; 
 
 Note: In the above 'grant' line, there is a snort1@HOST_NAME. This HOST_NAME must be the hostname of the 'slave 
sensor'. 
 
 ● At the 'mysql>' prompt type: show grants for snort1@HOST_NAME; 
 
 Note: This should show the privileges for user 'snort1', and they should match what was added. 
 
 ● Reboot your new IDS Master Sensor! 
 
 Testing the MySQL connection between the Slave and Master: 
 
 ● From a command prompt on the Slave sensor type: telnet hostname 3306 
 
 Note: The 'hostname' must be the hostname of the Master sensor. If there is a clear path to the MySQL database there 
will be a good connect. 
 
 Possible Connection Refused Problems: 
 
 ● The 'my.ini' file has a 'bind-address=' line included. 
 ● Network card may need a driver update. 
 ● No network connection. 
 ● No clear path to Master sensor (firewall / switch). 
 ● Ethernet cable not secure, or bad. 
 
 Note: All errors must be resolved before continuing! 

-Michael
--
 Michael Steele | System Engineer / Support Technician    
 mailto:michaels () silicondefense com   
 Silicon Defense - The Cyber-War Defense Company
 Website: http://www.silicondefense.com


 Snort: Open Source Network IDS - http://www.snort.org
-----Original Message-----
From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Ty 
Brewer
Sent: Tuesday, February 18, 2003 2:41 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] WinXP-1.9-MySQL-2 sensors, 1 collector and the 1067 error

I have installed Snort 1.9 on 2 WinXP machines using MySQL 4.0.10 gamma. Everything seems to work fine on each machine 
when running in a standalone configuration. Both machines are configured to have Snort run as a service and save to a 
local MySQL database. When logging alerts and logs locally, each machine works perfectly.
 
I would like to configure one machine to be a sensor and the other to be used exclusively for MySQL and ACID 
(collector).
 
Unfortunately, when I configure the 2nd machine (sensor) to point to the 1st machine (collector), I get the dreaded 
1067 error when I start the service on the sensor.
I have tried this with Snort both running and not running on the collector.
 
here is a portion of the snort.conf file from the sensor:
output database: log, mysql, user=snort2@sensor password=123 dbname=snort host=32.77.73.150 port=3306 sensor_name=sensor
output database: alert, mysql, user=snort2@sensor password=123 dbname=snort host=32.77.73.150 port=3306 
sensor_name=sensor
 
I've also tried these variations (the cat in the cage method):
user=root
user=snort
user=snort2
user=snort2@sensor
 
host=collector (the MySQL collector)
sensor_name=collector
 
It acts like this might be a MySQL problem, but I have created the snort2 user on the collector's MySQL instance. 
Perhaps I have created the user incorrectly?
 
Once I get this working, I'll add yet another sensor to point to the collector (2 sensors, 1 collector).
 
Any help is appreciated,
Ty




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users