RE: mysql.sock

[Erek Adams <erek () snort org>]

On Fri, 3 Oct 2003, PPowenski () oag com wrote:

> I am having serious problems with this 2.0.2 release.
> been working with snort since 1.8x.
>
> The problem I encountered was
> built snort with --with-mysql no directory ref and this made no difference.
> installed mysql 4.0.15 and it setup the mysql.sock in
> /var/lib/mysql/mysql.sock

When you built it, did it give any errors?

> had problems with snort putting events and logs in /var/log but only a
> fraction into the database.

Most likely the old 'alert' vs. 'log' issue [0].

> made some progress but then decided to rebuild on the suggestion of one of
> the papers to build with
> ./configure --with-mysql=/usr/local/mysql

Specifying the path is always a good thing.  If you have an older install,
it may pick up the headers from the older version and have issues
inserting into the DB.

> after the rebuild acid was having problems with mysql and stated it could
> not find the socket ref in /tmp/mysql.sock changed /etc/my.cnf to align this
> up then acid started complaining that adodb was hopelessly confused.
>
> Looked at this for quite some time then discovered /etc/php.ini had a ref
> for it but 'supposedly' was to use the my.cnf if no variable was set in this
> file.
> Put in /tmp/mysql.sock into /etc/php.ini then acid began to function.

I'm pretty sure that's noted in the install docs for ACID.

> put in a few alerts then stopped completely.
> ran tcpdump and plenty of traffic coming down the wire.
> have another ids in place with snort and the detects occurring with snort is
> not right.

What are you expecting to get?  From 1.9.x and on, there was the addition
of the 'flow' keyword.  If you're not having the flow, you won't get the
alert, as there isn't really a connection.  Find the rules that you are
expecting to fire and let us know the SID's.  That'll help debug the
issue.

> looking at it now.
>
> will figure it all out but found all of this very annoying and it must be
> very very hard for those who are not familiar with linux or systems..

I can imagine it's frustrating, but Snort is a *NIX program born and
designed on *NIX boxes.  It's going to have oddities that you may not be
aware of if you're not from a *NIX background.  I'd suggest grabbing a
good book on *NIX (Evi Neemeth and others--The Unix System Administrators
Handbook) and keeping it handy.  That book saved my butt on more then one
occasion.  :)

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

[0]     http://www.theadamsfamily.net/~erek/snort/logging_methods.txt


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users