Snort mailing list archives

Re: mysql error prevails...

From: AllowOverride <allowoverride () gmail com>
Date: Sat, 06 Oct 2012 13:10:04 -0700

thanks but are you going to make me guess at this point? don't you think
i have suffered enough?

whats the syntax, i would have said if i knew to anyone asking... its
call community. 

i can study the mysql manual later, i just want to get this up and
running, im going on two weeks dude...

i hope this i not how one gets free support here, that would be
tragic... 

i dont want to mess and make it worse typing perm cmds in mysql at this
point, if you know, just say!

thanks, if not, anyone else ?

--- Begin Message --- From: beenph <beenph () gmail com>
Date: Sat, 6 Oct 2012 14:59:27 -0400

On Sat, Oct 6, 2012 at 2:51 PM, AllowOverride <allowoverride () gmail com> wrote:

ok, beenph, i did what you suggested, here are new grants for snort
user:


Your not there yet

Your user should be seen as snort@'%'

not snort@'localhost

mysql> show grants for 'snort'@'localhost';
+-----------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for snort@localhost
|
+-----------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE ON *.* TO
'snort'@'localhost' IDENTIFIED BY PASSWORD '*hidden-sorry' |
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE ON `snort`.* TO
'snort'@'localhost'
|
+-----------------------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

1.
just for good measure restarting mysql service:

# service mysql restart
mysql stop/waiting
mysql start/running, process 2114

# service mysql status
mysql start/running, process 2114


2.
my.cnf unchanged:

[client]
port            = 3306
socket          = /var/run/mysqld/mysqld.sock

[mysqld_safe]
socket          = /var/run/mysqld/mysqld.sock
nice            = 0

 localhost which is more compatible and is not less secure.
bind-address            = 127.0.0.1
(i changed this before, per email suggestions, now its back to default
127...

3.

/etc/mysql/debian.cnf  defaults:

# Automatically generated for Debian scripts. DO NOT TOUCH!
[client]
host     = localhost
user     = debian-sys-maint
password = sorry-hidden
socket   = /var/run/mysqld/mysqld.sock
[mysql_upgrade]
host     = localhost
user     = debian-sys-maint
password = sorry-hidden
socket   = /var/run/mysqld/mysqld.sock
basedir  = /usr


3.

now, trying to connect again by running barnyard2:

a. start snort:

/usr/local/bin/snort -A fast -q -u snort -g snort
-c /etc/snort/etort.conf -i eth0 &
[1] 2276

# tail -f /var/log/syslog
Oct  6 11:36:57 hidden kernel: [ 2423.983662] device eth0 entered
promiscuous mode


b. start barnyard2:

/usr/local/bin/barnyard2 -c /etc/snort/etc/barnyard2.conf
-d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D &
[2] 2296


Oct  6 11:38:17 jupiter barnyard2[2296]: Running in Continuous mode
Oct  6 11:38:17 jupiter barnyard2[2296]:
Oct  6 11:38:17 jupiter barnyard2[2296]:         --== Initializing
Barnyard2 ==--
Oct  6 11:38:17 jupiter barnyard2[2296]: Initializing Input Plugins!
Oct  6 11:38:17 jupiter barnyard2[2296]: Initializing Output Plugins!
Oct  6 11:38:17 jupiter barnyard2[2296]: Parsing config file
"/etc/snort/etc/barnyard2.conf"
Oct  6 11:38:25 jupiter barnyard2[2296]: Log directory
= /var/log/barnyard2
Oct  6 11:38:25 jupiter barnyard2[2296]: Initializing daemon mode
Oct  6 11:38:25 jupiter barnyard2[2297]: Daemon initialized, signaled
parent pid: 2296
Oct  6 11:38:25 jupiter barnyard2[2297]: PID path stat checked out ok,
PID path set to /var/run/
Oct  6 11:38:25 jupiter barnyard2[2297]: Writing PID "2297" to file
"/var/run//barnyard2_eth0.pid"
Oct  6 11:38:25 jupiter barnyard2[2296]: Daemon parent exiting
Oct  6 11:38:26 jupiter barnyard2[2297]: FATAL ERROR: database:
mysql_error: Access denied for user 'snort'@'localhost' (using password:
YES)

... also
Oct  6 11:39:01 jupiter CRON[2300]: (root) CMD (
[ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] &&
find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin
+$(/usr/lib/php5/maxlifetime) ! -execdir fuser -s {} 2>/dev/null \;
-delete)

interesting...

ok welp, as you can see, i am still unable to connect locally. i will
try this cmd at terminal... to rule out some networking issue,,

stand by....


nope, also tried running as snort user, which leads me to another
question,,,

1. should i be running barnyard2 and snort processes with root, or snort
user?
the howtos mention chmoding perms chmod 777 /var/log/barnyard2 which
would imply barnyard2 should be run as non-root user...
but when i ran same cmd above logged in as snort user, i Fatal Error:

-== Initializing Barnyard2 ==--
Oct  6 11:43:58 jupiter barnyard2[2497]: Initializing Input Plugins!
Oct  6 11:43:58 jupiter barnyard2[2497]: Initializing Output Plugins!
Oct  6 11:43:58 jupiter barnyard2[2497]: Parsing config file
"/etc/snort/etc/barnyard2.conf"
Oct  6 11:44:07 jupiter barnyard2[2497]: Log directory
= /var/log/barnyard2
Oct  6 11:44:07 jupiter barnyard2[2497]: FATAL ERROR: OpenAlertFile() =>
fopen() alert file /var/log/barnyard2/barnyard2.alert: Permission denied

so..

2. which users can/should be running snort, barnyard2 services by
default just to get this working?
i think this might be the issue, for ubuntu servers have everything
involved set as root:root and the howtos mention chmod on some dirs..
just thinking outloud,,, any suggestions about perms for dirs as well?
what works easiest and consistently with default ./configure installs.

thanks...




~#
[2]+  Done                    /usr/local/bin/barnyard2
-c /etc/snort/etc/barnyard2.conf -d /var/log/snort -f snort.log
-w /var/log/snort/barnyard2.waldo -D



---------- Forwarded message ----------
From: beenph <beenph () gmail com>
To: AllowOverride <allowoverride () gmail com>
Cc:
Date: Sat, 6 Oct 2012 04:31:46 -0400
Subject: Re: [Snort-users] mysql error prevails...
On Fri, Oct 5, 2012 at 5:59 AM, AllowOverride <allowoverride () gmail com> wrote:

you mean snort.* yes i have


Do you actually read e-mails and links sent to you such as the MySQL
documentation?


By wildcard i didin/t mean * but  %

<SNIP

Also have you tried to wildcard your access for the user you configured?

UPDATE mysql.user SET host="%' WHERE user='YOURCONFIGUREDUSED';

REF: https://dev.mysql.com/doc/refman/5.5/en/adding-users.html

And make sure to flush--privileges/reload before testing .
</SNIP>


And in your Context "YOURCONFIGUREDUSER" should be snort.

------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

--- End Message ---

------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: mysql error prevails..., (continued)
- - - Re: mysql error prevails... AllowOverride (Oct 04)
    - Re: mysql error prevails... AllowOverride (Oct 04)
    - Re: mysql error prevails... beenph (Oct 04)
    - Re: mysql error prevails... AllowOverride (Oct 05)
    - Re: mysql error prevails... AllowOverride (Oct 05)
    - Message not available
    - Re: mysql error prevails... AllowOverride (Oct 06)
    - Re: mysql error prevails... James Lay (Oct 06)
    - Re: mysql error prevails... AllowOverride (Oct 06)
    - Message not available
    - Re: mysql error prevails... AllowOverride (Oct 06)
    - Re: mysql error prevails... beenph (Oct 06)
    - Re: mysql error prevails... AllowOverride (Oct 06)
    - Re: mysql error prevails... beenph (Oct 06)
    - Re: mysql error prevails... AllowOverride (Oct 06)
    - Message not available
    - Re: mysql error prevails... Eric G (Oct 06)
    - Re: mysql error prevails... AllowOverride (Oct 06)
    - Message not available
    - Re: mysql error prevails... AllowOverride (Oct 06)
    - Message not available
    - Re: mysql error prevails... AllowOverride (Oct 06)
    - Message not available
    - Re: mysql error prevails... AllowOverride (Oct 06)
    - Re: mysql error prevails... Jack (Oct 06)
    - Re: mysql error prevails... AllowOverride (Oct 06)
    - Re: mysql error prevails... AllowOverride (Oct 06)

(Thread continues...)