Re: mysql error prevails...

[AllowOverride <allowoverride () gmail com>]

snort is working for sure:

1.

# ls -alh /var/log/snort/
total 1016K
drwxr-xr-x  2 snort snort 4.0K Oct  6 11:36 .
drwxr-xr-x 13 root  root  4.0K Oct  6 10:56 ..
-rw-r--r--  1 root  root  6.8K Oct  5 23:26 alert
-rw-r--r--  1 snort snort    0 Oct  4 10:26 barnyard2.waldo
-rw-------  1 snort snort 997K Oct  6 01:43 snort.log.1349504795
-rw-------  1 snort snort    0 Oct  6 11:36 snort.log.1349548617

2. 

sudo openvasd 
All plugins loaded                     

after hitting 192.168.1.14 with openvas-client results:

# ls -alh /var/log/snort/
total 3.3M
drwxr-xr-x  2 snort snort 4.0K Oct  6 11:36 .
drwxr-xr-x 13 root  root  4.0K Oct  6 10:56 ..
-rw-r--r--  1 root  root  392K Oct  6 12:50 alert
-rw-r--r--  1 snort snort    0 Oct  4 10:26 barnyard2.waldo
-rw-------  1 snort snort 997K Oct  6 01:43 snort.log.1349504795
-rw-------  1 snort snort 2.0M Oct  6 12:50 snort.log.1349548617

I presume alert was actively logging as well as it file size grew, as
well as snort.log is now logging i use -A console option.
I wonder if -A fast does the same - makes alert and snort.log grow.
I will generate lots of traffic again with openvas and ping -f to see i
barnyard2.waldo grows at some point... little smack testing in the
network sense...


3.

here is my local.rules per howtos:

# ------------
# LOCAL RULES
# ------------
# This file intentionally does not come with signatures.  Put your local
# additions here.
alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001;)

4. 

snort.rules is full. i wonder what happens if i cat >> snort.rules to
local.rules lol... jk

5.

what i find interesting is how after i installed pulledpork and ran it,
it works, and when i hit 192.168.1.14 with openvas-client it logs
to /var/log/snort/snort.log, so i assume local.rules AND snort.rules are
working, but i can't tell for sure, as i can not get barnyard2 to import
the info to mysql to take a look at it, since it is unified2 format.. i
think.. can't tell:

# less /var/log/snort/snort.log.1349548617 
"/var/log/snort/snort.log.1349548617" may be a binary file.  See it
anyway?

i just know the file size is growing.. good sign snort is working, and i
know it grows when i simply ping 192.168.1.14 from remote host.

6. 

I'd like to import data from snort with barnyard2 into say snortreport
or base-1.4.5.

After than I will be able to try my hand at local.rule creation. 

i am still stuck with barnyard2 > mysql insertion portion.

anything i willing try at this point, as the howtos do not really
explain more. see attached for howtos i have been using.
also, perms on some dirs were getting non-root perms like:
1210:1210 /etc/snort

7. 

suggestions anyone ??? im totally open to suggestions... 

more info to follow....

> --- Begin Message ---
>
>
> From: beenph <beenph () gmail com>
>
> Date: Sat, 6 Oct 2012 04:31:46 -0400
>
> On Fri, Oct 5, 2012 at 5:59 AM, AllowOverride <allowoverride () gmail com> wrote:
> > you mean snort.* yes i have
>
> Do you actually read e-mails and links sent to you such as the MySQL
> documentation?
>
>
> By wildcard i didin/t mean * but  %
>
> <SNIP
>
> Also have you tried to wildcard your access for the user you configured?
>
> UPDATE mysql.user SET host="%' WHERE user='YOURCONFIGUREDUSED';
>
> REF: https://dev.mysql.com/doc/refman/5.5/en/adding-users.html
>
> And make sure to flush--privileges/reload before testing .
> </SNIP>
>
>
> And in your Context "YOURCONFIGUREDUSER" should be snort.
>
> --- End Message ---
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!