FW: Can't get remote sensor to connect to mysql + one more question

["Jean Paul Bourget" <jbourget () ArnoldMagnetics com>]

Regards, 
 
JP Bourget
Arnold Magnetics
770 Linden Ave
Rochester, NY 14625
585-385-9010 x225
jbourget () arnoldmagnetics com
www.arnoldmagnetics.com

-----Original Message-----
From: Jean Paul Bourget 
Sent: Monday, January 03, 2005 8:48 AM
To: 'Schott, Erik J Mr ANOSC/FCBS'; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Can't get remote sensor to connect to mysql +
one more question

So let me see if I understand this correctly.

Eth0 = plugged into a mirrored port on a switch. Snort "sniffs and
analyzes all the traffic on this port. IP assigned? Yes or No. (Not
sure)

Eth1 = management Interface. Snort actually sends the relevant packets I
care about back to my remote snort database via eth1. I can also manage
snort via eth1. 

If this is the case, how do I tell snort to send the data over eth1 to
my database? It seems as if it's trying to send it over the mirror port
(eth0), so how to I specify eth1 to send the data back to the database
over eth1?

Regards, 
 
JP Bourget
Arnold Magnetics
770 Linden Ave
Rochester, NY 14625
585-385-9010 x225
jbourget () arnoldmagnetics com
www.arnoldmagnetics.com

-----Original Message-----
From: Schott, Erik J Mr ANOSC/FCBS
[mailto:erik.schott-FCBS () NETCOM ARMY MIL] 
Sent: Wednesday, December 22, 2004 5:32 PM
To: Jean Paul Bourget
Subject: RE: [Snort-users] Can't get remote sensor to connect to mysql +
one more question

If you have multiple NICs on your host, you can select one interface to
be
your "stealth" interface (the interface over which you will receive and
interrogate all packets).  It is an interface to which you do not assign
an
IP.  You identify this in your snort startup script.

Using a mirrored port (span session) on a switch is not a problem.  That
is
what we use at our remote sites and the stealth interface (promiscuous
interface) on the snort sensor is connected to that port.

You will not need to use eth1 to send data to the remote snort server.
That
interface is the "management" port and that is how the snort alerts,
etc.
get to the ACID/BASE server and it is also the interface over which you
remotely manage the sensor.

-----Original Message-----
From: Jean Paul Bourget [mailto:jbourget () ArnoldMagnetics com]
Sent: Wednesday, December 22, 2004 1:59 PM
To: Schott, Erik J Mr ANOSC/FCBS; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Can't get remote sensor to connect to mysql +
one more question


I got it!!! 

Turns out I didn't have any passwords on in my mySQL database.

Thank you so much for your quick response. You guys rock, esp. Erik.

I have one more question.... 

When you monitor an interface (say eth0) it goes into promiscuous mode.

I got that.

How does it still send data back to the database? Can I pick an
interface to do that? Or does it just work? What if I use a mirrored
port/vlan?

What I'm trying to accomplish:

Mirror my network via a Cisco span (or RSPAN)port to eth0.
Use eth1 on another port to send data back to my remote snort "server"

Am I trying to go about this the right way? Or am I missing something?

Thanks again!

Regards, 
 
JP Bourget
Arnold Magnetics
770 Linden Ave
Rochester, NY 14625
585-385-9010 x225
jbourget () arnoldmagnetics com
www.arnoldmagnetics.com

-----Original Message-----
From: Schott, Erik J Mr ANOSC/FCBS
[mailto:erik.schott-FCBS () NETCOM ARMY MIL] 
Sent: Wednesday, December 22, 2004 2:26 PM
To: Jean Paul Bourget
Subject: RE: [Snort-users] Can't get remote sensor to connect to mysql

do you have a user account for snort on your ACID server?

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Jean Paul
Bourget
Sent: Wednesday, December 22, 2004 12:16 PM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Can't get remote sensor to connect to mysql


It has been snort and I tried it as root last. 
I am getting this error with snort.

User=snort pass=snort db=snort

Error: 

Access denied for user snort () snort mta roc arnoldmagnetics com.

Should I look at the database permissions? Or file permissions?
How do I view database permissions?

Regards, 
 
JP Bourget
Arnold Magnetics
770 Linden Ave
Rochester, NY 14625
585-385-9010 x225
jbourget () arnoldmagnetics com
www.arnoldmagnetics.com

-----Original Message-----
From: Schott, Erik J Mr ANOSC/FCBS
[mailto:erik.schott-FCBS () NETCOM ARMY MIL] 
Sent: Wednesday, December 22, 2004 2:01 PM
To: Jean Paul Bourget
Subject: RE: [Snort-users] Can't get remote sensor to connect to mysql

try changing your user to snort in your output database: entry...also,
when
you send your snort.conf cross (X) out that password, unless it is
already
bogus.

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Jean Paul
Bourget
Sent: Wednesday, December 22, 2004 11:54 AM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Can't get remote sensor to connect to mysql


Ok, so I opened up port 3306 on my firewall now the permissions problem
has surfaced. 

Below is my snort.conf and a explanation of my new problem.

Database: mysql_error: Access denied for user root@192.168.50.52

It looks as though either I have the wrong database permissions for the
remote user, (I'm not sure how to fix this, or I have the wrong file
permissions)

FYI I cut the rules section off the snort.config



Start snort.conf ------------------>
[jbourget@snort-mta ~]$ cat /etc/snort/snort.conf | more
#--------------------------------------------------
#   http://www.snort.org     Snort 2.1.0 Ruleset
#     Contact: snort-sigs () lists sourceforge net
#--------------------------------------------------
# $Id: snort.conf,v 1.142.2.2 2004/08/05 18:55:37 jhewlett Exp $
#
###################################################
# This file contains a sample snort configuration.
# You can take the following steps to create your own custom
configuration:
#
#  1) Set the network variables for your network
#  2) Configure preprocessors
#  3) Configure output plugins
#  4) Customize your rule set
#
###################################################
# Step #1: Set the network variables:
#
# You must change the following variables to reflect your local network.
The
# variable is currently setup for an RFC 1918 address space.
#
# You can specify it explicitly as:
#
# var HOME_NET 10.1.1.0/24
#
# or use global variable $<interfacename>_ADDRESS which will be always
# initialized to IP address and netmask of the network interface which
you run
# snort at.  Under Windows, this must be specified as
# $(<interfacename>_ADDRESS), such as:
# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
#
# var HOME_NET $eth0_ADDRESS
#
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
#
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
# or you can specify the variable to be any IP address
# like this:

var HOME_NET [192.168.40.0/24,192.168.200.0/24]

# Set up the external network addresses as well.  A good start may be
"any"
var EXTERNAL_NET any

# Configure your server lists.  This allows snort to only look for
attacks to
# systems that have a service up.  Why look for HTTP attacks if you are
not
# running a web server?  This allows quick filtering based on IP
addresses
# These configurations MUST follow the same configuration scheme as
defined
# above for $HOME_NET.

# List of DNS servers on your network
var DNS_SERVERS $HOME_NET

#
# or you can specify the variable to be any IP address
# like this:

var HOME_NET [192.168.40.0/24,192.168.200.0/24]

# Set up the external network addresses as well.  A good start may be
"any"
var EXTERNAL_NET any

# Configure your server lists.  This allows snort to only look for
attacks to
# systems that have a service up.  Why look for HTTP attacks if you are
not
# running a web server?  This allows quick filtering based on IP
addresses
# These configurations MUST follow the same configuration scheme as
defined
# above for $HOME_NET.

# List of DNS servers on your network
var DNS_SERVERS $HOME_NET

# List of SMTP servers on your network
var SMTP_SERVERS $HOME_NET

# List of web servers on your network
var HTTP_SERVERS $HOME_NET

# List of sql servers on your network
var SQL_SERVERS $HOME_NET

# List of telnet servers on your network
var TELNET_SERVERS $HOME_NET

# List of snmp servers on your network
var SNMP_SERVERS $HOME_NET

# Configure your service ports.  This allows snort to look for attacks
destined
# to a specific application only on the ports that application runs on.
For
# example, if you run a web server on port 8081, set your HTTP_PORTS
variable
# like this:
#
# var HTTP_PORTS 8081
#
# Port lists must either be continuous [eg 80:8080], or a single port
[eg 80].
# We will adding support for a real list of ports in the future.

# Ports you run web servers on
#
# Please note:  [80,8080] does not work.
# If you wish to define multiple HTTP ports,
#
## var HTTP_PORTS 80
## include somefile.rules
## var HTTP_PORTS 8080
## include somefile.rules
var HTTP_PORTS 80

# Ports you want to look for SHELLCODE on.
var SHELLCODE_PORTS !80

# Ports you do oracle attacks on

# Ports you do oracle attacks on
var ORACLE_PORTS 1521

# other variables
#
# AIM servers.  AOL has a habit of adding new AIM servers, so instead of
# modifying the signatures when they do, we add them to this list of
servers.
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,
64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]

# Path to your rules files (this can be a relative path)
# Note for Windows users:  You are advised to make this an absolute
path,
# such as:  c:\snort\rules
var RULE_PATH /etc/snort/rules

# Configure the snort decoder
# ============================
#
# Snort's decoder will alert on lots of things such as header
# truncation or options of unusual length or infrequently used tcp
options
#
#
# Stop generic decode events:
#
# config disable_decode_alerts
#
# Stop Alerts on experimental TCP options
#
# config disable_tcpopt_experimental_alerts
#
# Stop Alerts on obsolete TCP options
#
# config disable_tcpopt_obsolete_alerts
#
# Stop Alerts on T/TCP alerts
#
# In snort 2.0.1 and above, this only alerts when a TCP option is
detected
# that shows T/TCP being actively used on the network.  If this is
normal
# behavior for your network, disable the next option.
#
# config disable_tcpopt_ttcp_alerts
#
# Stop Alerts on all other TCPOption type events:
#
# config disable_tcpopt_alerts
#
# Stop Alerts on invalid ip options
#
# config disable_ipopt_alerts

# Configure the detection engine
# ===============================
#
# Use a different pattern matcher in case you have a machine with very
limited
# resources:
#
# config detection: search-method lowmem

###################################################
# Step #2: Configure preprocessors
#
# General configuration for preprocessors is of
# the form
# preprocessor <name_of_processor>: <configuration_options>

# Configure Flow tracking module
# -------------------------------
#
# The Flow tracking module is meant to start unifying the state keeping
# mechanisms of snort into a single place. Right now, only a portscan
detector
# is implemented but in the long term,  many of the stateful subsystems
of
# snort will be migrated over to becoming flow plugins. This must be
enabled
# for flow-portscan to work correctly.
#
# See README.flow for additional information

#
preprocessor flow: stats_interval 0 hash 2

# frag2: IP defragmentation support
# -------------------------------
# This preprocessor performs IP defragmentation.  This plugin will also
detect
# people launching fragmentation attacks (usually DoS) against hosts.
No
# arguments loads the default configuration of the preprocessor, which
is a 60
# second timeout and a 4MB fragment buffer.

# The following (comma delimited) options are available for frag2
#    timeout [seconds] - sets the number of [seconds] that an unfinished
#                        fragment will be kept around waiting for
completion,
#                        if this time expires the fragment will be
flushed
#    memcap [bytes] - limit frag2 memory usage to [number] bytes
#                      (default:  4194304)
#
#    min_ttl [number] - minimum ttl to accept
#
#    ttl_limit [number] - difference of ttl to accept without alerting
#                         will cause false positves with router flap
#
# Frag2 uses Generator ID 113 and uses the following SIDS
# for that GID:
#  SID     Event description
# -----   -------------------
#   1       Oversized fragment (reassembled frag > 64k bytes)
#   2       Teardrop-type attack

preprocessor frag2

# stream4: stateful inspection/stream reassembly for Snort
#----------------------------------------------------------------------
# Use in concert with the -z [all|est] command line switch to defeat
stick/snot
# against TCP rules.  Also performs full TCP stream reassembly, stateful
# inspection of TCP streams, etc.  Can statefully detect various
portscan
# types, fingerprinting, ECN, etc.

# stateful inspection directive
# no arguments loads the defaults (timeout 30, memcap 8388608)
# options (options are comma delimited):
#   detect_scans - stream4 will detect stealth portscans and generate
alerts
#                  when it sees them when this option is set
#   detect_state_problems - detect TCP state problems, this tends to be
very
#                           noisy because there are a lot of crappy ip
stack
#                           implementations out there
#
#   disable_evasion_alerts - turn off the possibly noisy mitigation of
#                            overlapping sequences.
#
#
#   min_ttl [number]       - set a minium ttl that snort will accept to
#                            stream reassembly
#
#   ttl_limit [number]     - differential of the initial ttl on a
session versus
#                             the normal that someone may be playing
games.
#                             Routing flap may cause lots of false
positives.
#
#
#   keepstats [machine|binary] - keep session statistics, add "machine"
to
#                         get them in a flat format for machine reading,
add
#                         "binary" to get them in a unified binary
output
#                         format
#   noinspect - turn off stateful inspection only
#   timeout [number] - set the session timeout counter to [number]
seconds,
#                      default is 30 seconds
#   memcap [number] - limit stream4 memory usage to [number] bytes
#   log_flushed_streams - if an event is detected on a stream this
option will
#                         cause all packets that are stored in the
stream4
#                         packet buffers to be flushed to disk.  This
only
#                         works when logging in pcap mode!
#
# Stream4 uses Generator ID 111 and uses the following SIDS
# for that GID:
#  SID     Event description
# -----   -------------------
#   1       Stealth activity
#   2       Evasive RST packet
#   3       Evasive TCP packet retransmission
#   4       TCP Window violation
#   5       Data on SYN packet
#   6       Stealth scan: full XMAS
#   7       Stealth scan: SYN-ACK-PSH-URG
#   8       Stealth scan: FIN scan
#   9       Stealth scan: NULL scan
#   10      Stealth scan: NMAP XMAS scan
#   11      Stealth scan: Vecna scan
#   12      Stealth scan: NMAP fingerprint scan stateful detect
#   13      Stealth scan: SYN-FIN scan
#   14      TCP forward overlap

preprocessor stream4: disable_evasion_alerts

# tcp stream reassembly directive
# no arguments loads the default configuration
#   Only reassemble the client,
#   Only reassemble the default list of ports (See below),
#   Give alerts for "bad" streams
#
# Available options (comma delimited):
#   clientonly - reassemble traffic for the client side of a connection
only
#   serveronly - reassemble traffic for the server side of a connection
only
#   both - reassemble both sides of a session
#   noalerts - turn off alerts from the stream reassembly stage of
stream4
#   ports [list] - use the space separated list of ports in [list],
"all"
#                  will turn on reassembly for all ports, "default" will
turn
#                  on reassembly for ports 21, 23, 25, 53, 80, 143, 110,
111
#                  and 513

preprocessor stream4_reassemble

# http_inspect: normalize and detect HTTP traffic and protocol anomalies
#
# lots of options available here. See doc/README.http_inspect.
# unicode.map should be wherever your snort.conf lives, or given
# a full path to where snort can find it.

# a full path to where snort can find it.
preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \
    profile all ports { 80 8080 8180 } oversize_dir_length 500

#
#  Example unqiue server configuration
#
#preprocessor http_inspect_server: server 1.1.1.1 \
#    ports { 80 3128 8080 } \
#    flow_depth 0 \
#    ascii no \
#    double_decode yes \
#    non_rfc_char { 0x00 } \
#    chunk_length 500000 \
#    non_strict \
#    oversize_dir_length 300 \
#    no_alerts


# rpc_decode: normalize RPC traffic
# ---------------------------------
# RPC may be sent in alternate encodings besides the usual 4-byte
encoding
# that is used by default. This plugin takes the port numbers that RPC
# services are running on as arguments - it is assumed that the given
ports
# are actually running this type of service. If not, change the ports or
turn
# it off.
# The RPC decode preprocessor uses generator ID 106
#
# arguments: space separated list
# alert_fragments - alert on any rpc fragmented TCP data
# no_alert_multiple_requests - don't alert when >1 rpc query is in a
packet
# no_alert_large_fragments - don't alert when the fragmented
#                            sizes exceed the current packet size
# no_alert_incomplete - don't alert when a single segment
#                       exceeds the current packet size

preprocessor rpc_decode: 111 32771

# bo: Back Orifice detector
# -------------------------
# Detects Back Orifice traffic on the network.  Takes no arguments in
2.0.
#
# The Back Orifice detector uses Generator ID 105 and uses the
# following SIDS for that GID:
#  SID     Event description
# -----   -------------------
#   1       Back Orifice traffic detected

preprocessor bo

# telnet_decode: Telnet negotiation string normalizer
# ---------------------------------------------------
# This preprocessor "normalizes" telnet negotiation strings from telnet
and ftp
# traffic.  It works in much the same way as the http_decode
preprocessor,
# searching for traffic that breaks up the normal data stream of a
protocol and
# searching for traffic that breaks up the normal data stream of a
protocol and
# replacing it with a normalized representation of that traffic so that
the
# "content" pattern matching keyword can work without requiring
modifications.
# This preprocessor requires no arguments.
# Portscan uses Generator ID 109 and does not generate any SID
currently.

preprocessor telnet_decode

# Flow-Portscan: detect a variety of portscans
# ---------------------------------------
# Note:  The Flow preprocessor (above) must first be enabled for
Flow-Portscan to
# work.
#
# This module detects portscans based off of flow creation in the flow
# preprocessors.  The goal is to catch one->many hosts and one->many
# ports scans.
#
# Flow-Portscan has numerous options available, please read
# README.flow-portscan for help configuring this option.

# Flow-Portscan uses Generator ID 121 and uses the following SIDS for
that GID:
#  SID     Event description
# -----   -------------------
#   1       flow-portscan: Fixed Scale Scanner Limit Exceeded
#   2       flow-portscan: Sliding Scale Scanner Limit Exceeded
#   3       flow-portscan: Fixed Scale Talker Limit Exceeded
#   4       flow-portscan: Sliding Scale Talker Limit Exceeded

# preprocessor flow-portscan: \
#       talker-sliding-scale-factor 0.50 \
#       talker-fixed-threshold 30 \
#       talker-sliding-threshold 30 \
#       talker-sliding-window 20 \
#       talker-fixed-window 30 \
#       scoreboard-rows-talker 30000 \
#       server-watchnet [10.2.0.0/30] \
#       server-ignore-limit 200 \
#       server-rows 65535 \
#       server-learning-time 14400 \
#       server-scanner-limit 4 \
#       scanner-sliding-window 20 \
#       scanner-sliding-scale-factor 0.50 \
#       scanner-fixed-threshold 15 \
#       scanner-sliding-threshold 40 \
#       scanner-fixed-window 15 \
#       scoreboard-rows-scanner 30000 \
#       src-ignore-net [192.168.1.1/32,192.168.0.0/24] \
#       dst-ignore-net [10.0.0.0/30] \
#       alert-mode once \
#       output-mode msg \
#       tcp-penalties on

# arpspoof
#----------------------------------------
# Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
# unicast ARP requests, and specific ARP mapping monitoring.  To make
use of
# this preprocessor you must specify the IP and hardware address of
hosts on
# the same layer 2 segment as you.  Specify one host IP MAC combo per
line.

# the same layer 2 segment as you.  Specify one host IP MAC combo per
line.
# Also takes a "-unicast" option to turn on unicast ARP request
detection.
# Arpspoof uses Generator ID 112 and uses the following SIDS for that
GID:

#  SID     Event description
# -----   -------------------
#   1       Unicast ARP request
#   2       Etherframe ARP mismatch (src)
#   3       Etherframe ARP mismatch (dst)
#   4       ARP cache overwrite attack

#preprocessor arpspoof
#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00


# Performance Statistics
# ----------------------
# Documentation for this is provided in the Snort Manual.  You should
read it.
# It is included in the release distribution as doc/snort_manual.pdf
#
# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt
10000

####################################################################
# Step #3: Configure output plugins
#
# Uncomment and configure the output plugins you decide to use.  General
# configuration for output plugins is of the form:
#
# output <name_of_plugin>: <configuration_options>
#
# alert_syslog: log alerts to syslog
# ----------------------------------
# Use one or more syslog facilities as arguments.  Win32 can also
optionally
# specify a particular hostname/port.  Under Win32, the default hostname
is
# '127.0.0.1', and the default port is 514.
#
# [Unix flavours should use this format...]
# output alert_syslog: LOG_AUTH LOG_ALERT#
# [Win32 can use any of these formats...]
# output alert_syslog: LOG_AUTH LOG_ALERT
# output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
# output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT

# log_tcpdump: log packets in binary tcpdump format
# -------------------------------------------------
# The only argument is the output file name.
#
# output log_tcpdump: tcpdump.log

# database: log to a variety of databases
# ---------------------------------------
# See the README.database file for more information about configuring
# and using this plugin.
#

output database: log, mysql, user=snort password=snort dbname=snort
host=192.168.40.50
#
# output database: alert, postgresql, user=snort dbname=snort
# output database: log, odbc, user=snort dbname=snort
# output database: log, mssql, dbname=snort user=snort password=test
# output database: log, oracle, dbname=snort user=snort password=test

# unified: Snort unified binary format alerting and logging
# -------------------------------------------------------------
# The unified output plugin provides two new formats for logging and
generating
# alerts from Snort, the "unified" format.  The unified format is a
straight
# binary format for logging data out of Snort that is designed to be
fast and
# efficient.  Used with barnyard (the new alert/log processor), most of
the
# overhead for logging and alerting to various slow storage mechanisms
such as
# databases or the network can now be avoided.
#
# Check out the spo_unified.h file for the data formats.
#
# Two arguments are supported.
#    filename - base filename to write to (current time_t is appended)
#    limit    - maximum size of spool file in MB (default: 128)
#
# output alert_unified: filename snort.alert, limit 128
# output log_unified: filename snort.log, limit 128

# You can optionally define new rule types and associate one or more
output
# plugins specifically to that type.
#
# This example will create a type that will log to just tcpdump.
# ruletype suspicious
# {
#   type log
#   output log_tcpdump: suspicious.log
# }
#
# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
# suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC
Server";)
#
# This example will create a rule type that will log to syslog and a
mysql
# database:
# ruletype redalert
# {
#   type alert
#   output alert_syslog: LOG_AUTH LOG_ALERT
#   output database: log, mysql, user=snort dbname=snort host=localhost
# }
#
# EXAMPLE RULE FOR REDALERT RULETYPE:
# redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \
#   (msg:"Someone is being LEET"; flags:A+;)

#
# Include classification & priority settings
# Note for Windows users:  You are advised to make this an absolute
path,
# such as:  c:\snort\etc\classification.config
#

include classification.config
include classification.config

#
# Include reference systems
# Note for Windows users:  You are advised to make this an absolute
path,
# such as:  c:\snort\etc\reference.config
#

include reference.config

####################################################################
# Step #4: Customize your rule set
#
# Up to date snort rules are available at http://www.snort.org
#
# The snort web site has documentation about how to write your own
custom snort
# rules.
#
# The rules included with this distribution generate alerts based on on
# suspicious activity. Depending on your network environment, your
security
# policies, and what you consider to be suspicious, some of these rules
may
# either generate false positives ore may be detecting activity you
consider to
# be acceptable; therefore, you are encouraged to comment out rules that
are
# not applicable in your environment.
#
# The following individuals contributed many of rules in this
distribution.
#
# Credits:
#   Ron Gula <rgula () securitywizards com> of Network Security Wizards
#   Max Vision <vision () whitehats com>
#   Martin Markgraf <martin () mail du gtn com>
#   Fyodor Yarochkin <fygrave () tigerteam net>
#   Nick Rogness <nick () rapidnet com>
#   Jim Forster <jforster () rapidnet com>
#   Scott McIntyre <scott () whoi edu>
#   Tom Vandepoel <Tom.Vandepoel () ubizen com>
#   Brian Caswell <bmc () snort org>
#   Zeno <admin () cgisecurity com>
#   Ryan Russell <ryan () securityfocus com>



#=========================================
# Include all relevant rulesets here
#
# The following rulesets are disabled by default:
#
#   web-attacks, backdoor, shellcode, policy, porn, info, icmp-info,
virus,
#   chat, multimedia, and p2p
#
# These rules are either site policy specific or require tuning in order
to not
# generate false positive alerts in most enviornments.
#
# Please read the specific include file for more information and
# README.alert_order for how rule ordering affects how alerts are
triggered.
#=========================================

include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules

--------------------->end snort.conf


Regards, 
 
JP Bourget
Arnold Magnetics
770 Linden Ave
Rochester, NY 14625
585-385-9010 x225
jbourget () arnoldmagnetics com
www.arnoldmagnetics.com

-----Original Message-----
From: Harper, Patrick [mailto:Patrick.Harper () phns com] 
Sent: Wednesday, December 22, 2004 12:41 PM
To: Jean Paul Bourget; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Can't get remote sensor to connect to mysql

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Could be a permissions problem.  Have you given a user permission to
connect from that remote IP?  Also, is mysql open on the firewall?

 
- -----Original Message-----
From: Jean Paul Bourget [mailto:jbourget () ArnoldMagnetics com] 
Sent: Wednesday, December 22, 2004 11:25 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Can't get remote sensor to connect to mysql

I am having trouble connecting to the database from a remote machine.
I have snort working on my central machine, snort get ready to load
and halts on this error.

 

Error: database: mysql_error: Can't connecto to MySQL server on
'192.168.x.x' (113)

 

I can't figure out what the (113) is, and I've combed my syslog and
mySQL log and haven't found any hints at all. Been working on this
for 2 days.

 

The only thing I can think of is maybe a permissions problem coming
in from the remote machine.

I am using ssh.

 

Please help!!!

 

Regards, 

 

JP Bourget


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQcmxlZiWafDb7+B/EQJR9ACeNOdp72qZfoIdsPlacKQHzPTGh8gAnA9r
giYHXGBv3qkLMt6J+Jg5WB+6
=i3kX
-----END PGP SIGNATURE-----




Disclaimer:
This electronic message, including any attachments, is confidential and
intended solely for use of the intended recipient(s). This message may
contain information that is privileged or otherwise protected from
disclosure by applicable law. Any unauthorized disclosure,
dissemination, use or reproduction is strictly prohibited. If you have
received this message in error, please delete it and notify the sender
immediately. 






-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users