Snort mailing list archives
Re: archivePlus problems
From: "Jim Vonder" <jim_vonder () hotmail com>
Date: Fri, 11 Mar 2005 14:39:18 -0800
Thanks a ton! It was the permission 'file' missing from the MySQL user. Also, thanks for the great script -- it does exactly what I was looking for.
As far as where I downloaded it, I believe I got it straight from the NTSUG site. At least I eventually downloaded it from there to see if that would fix my problems. I guess it's possible I go two versions from two different sites mixed up. One problem I ran into was that I just edited the sample config file, and the application couldn't read the values from it correctly until I did the dos2unix. The error I got was the same one I saw someone else mentioning when I did a google search -- can't connect to 'localhost, so I don't think I'm the only one with the problem.
-Jim Vonder
From: Paul Schmehl <pauls () utdallas edu> Reply-To: Paul Schmehl <pauls () utdallas edu> To: Jim Vonder <jim_vonder () hotmail com>,snort-users () lists sourceforge net Subject: Re: [Snort-users] archivePlus problems Date: Fri, 11 Mar 2005 15:55:53 -0600--On Friday, March 11, 2005 11:02:59 AM -0800 Jim Vonder <jim_vonder () hotmail com> wrote:For troubleshooting purposes, there are a couple of things you can do to help sort out what's going on.Any ideas? Has anyone else run it on Fedora?1) One of the options is -T, which defines the tmpfile location. (I use /var/db/mysql/tmp.) Whereever it is that you are putting the tmp files, you can tail the files to see what's in them. (They're all ASCII text.)If there's data in there, you know that the script is reading the snort db and writing to those files.If there's no data, check the permissions of the user you've defined in the config file. Try to login to the db from the commandline using that user and its password.mysql -u {user} -pAlso check the grants for that user to make sure it has the correct perms to do what the script does. For the snort db, it needs SELECT, DELETE and FILE. For the archive DB it needs INSERT, UPDATE and FILE privileges.N.B. The FILE privilege is very dangerous. This account should be localhost only or run over SSL and it should use a very strong password.2) In the archivePlus.pl script, on line 195 (immediately after this - my $sensor_query = qq{SELECT * FROM sensor};), add this statement:DBI->trace (3, "(/path/mysql/can/write/to/)trace.out");This will write a trace file to the location you specify. You can then tail the file to see what caused the script to exit (success or failure). This can be helpful to see exactly why the script is failing.)Keep in mind, if you have a *lot* of events to archive, the script will run for quite a while. If that is the case, try "hardcoding" the date to limit the amount of data it has to handle. (Uncomment line 19 and set the date, using the *precise* format displayed, and the script will archive anything *prior* to that date.)E.g. if you have 20 days worth of data in the db, and you want only 7, set the archive date to be 17 days ago, run the script, when it completes change the date to 14 days ago, and so forth. Of course, you can also do this from the commandline by using -t N days; -t 17, then -t 14, etc.Hope this helps. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_________________________________________________________________Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- archivePlus problems Jim Vonder (Mar 11)
- Re: archivePlus problems Alex Kirk (Mar 11)
- Re: archivePlus problems Jim Vonder (Mar 11)
- Re: archivePlus problems Paul Schmehl (Mar 11)
- RE: archivePlus problems Michael Steele (Mar 11)
- Re: archivePlus problems James Riden (Mar 11)
- Re: archivePlus problems Jim Vonder (Mar 11)
- Re: archivePlus problems Alex Kirk (Mar 11)
- <Possible follow-ups>
- Re: archivePlus problems Jim Vonder (Mar 11)
- Re: archivePlus problems Paul Schmehl (Mar 11)