Snort mailing list archives

Re: mysql error prevails...

From: AllowOverride <allowoverride () gmail com>
Date: Sat, 06 Oct 2012 19:06:08 -0700

ALRIGHTY!!! SUCCESS, finally.....

ok, it was pw related, thanks beeph.

after i spoke to you went through the configs again, and low and
behold,,, 
you ready.... here it comes....


before:
output database: log, mysql user=snort password='hidden-pw' dbname=snort
host=localhost

after:
output database: log, mysql user=snort password=hidden-pw dbname=snort
host=localhost


sighs..... thanks for all your help trying snort-users.... im just glad
i figured it out, however,,,,,
the friggen howtos as usual have syntax errors, wrong paths, so on
forth... i know, i know, i should know bettter...
good news its working....

# /usr/local/bin/barnyard2 -c /etc/snort/etc/barnyard2.conf
-d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo 
Running in Continuous mode

        --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/etc/barnyard2.conf"


Log directory = /var/log/barnyard2
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database:           host = localhost
database:           user = snort
database:  database name = snort
database:    sensor name = jupiter:NULL
database:      sensor id = 1
database:     sensor cid = 1
database:  data encoding = hex
database:   detail level = full
database:     ignore_bpf = no
database: using the "log" facility

        --== Initialization Complete ==--

  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.9 (Build 263)
 |o"  )~|  By the SecurixLive.com Team:
http://www.securixlive.com/about.php
 + '''' +  (C) Copyright 2008-2010 SecurixLive.

           Snort by Martin Roesch & The Snort Team:
http://www.snort.org/team.html
           (C) Copyright 1998-2007 Sourcefire Inc., et al.

WARNING: Ignoring corrupt/truncated waldofile
'/var/log/snort/barnyard2.waldo'
Opened spool file '/var/log/snort/snort.log.1349504795'
Closing spool file '/var/log/snort/snort.log.1349504795'. Read 0 records
Opened spool file '/var/log/snort/snort.log.1349548617'
Waiting for new data

ok, on the next round of questions.... 

oh oh, i wonder why barnyard2 sometimes just stops,,, ill deal
tomorrow, 
beer time. 

more to follow....

--- Begin Message --- From: Jack <kingofnerds () gmail com>
Date: Sat, 6 Oct 2012 17:49:49 -0400

Remember that in some cases localhost can be assigned a different number.
You might want to verify your hosts file.
On Oct 6, 2012 4:00 PM, "AllowOverride" <allowoverride () gmail com> wrote:

snort is working for sure:

1.

# ls -alh /var/log/snort/
total 1016K
drwxr-xr-x  2 snort snort 4.0K Oct  6 11:36 .
drwxr-xr-x 13 root  root  4.0K Oct  6 10:56 ..
-rw-r--r--  1 root  root  6.8K Oct  5 23:26 alert
-rw-r--r--  1 snort snort    0 Oct  4 10:26 barnyard2.waldo
-rw-------  1 snort snort 997K Oct  6 01:43 snort.log.1349504795
-rw-------  1 snort snort    0 Oct  6 11:36 snort.log.1349548617

2.

sudo openvasd
All plugins loaded

after hitting 192.168.1.14 with openvas-client results:

# ls -alh /var/log/snort/
total 3.3M
drwxr-xr-x  2 snort snort 4.0K Oct  6 11:36 .
drwxr-xr-x 13 root  root  4.0K Oct  6 10:56 ..
-rw-r--r--  1 root  root  392K Oct  6 12:50 alert
-rw-r--r--  1 snort snort    0 Oct  4 10:26 barnyard2.waldo
-rw-------  1 snort snort 997K Oct  6 01:43 snort.log.1349504795
-rw-------  1 snort snort 2.0M Oct  6 12:50 snort.log.1349548617

I presume alert was actively logging as well as it file size grew, as
well as snort.log is now logging i use -A console option.
I wonder if -A fast does the same - makes alert and snort.log grow.
I will generate lots of traffic again with openvas and ping -f to see i
barnyard2.waldo grows at some point... little smack testing in the
network sense...


3.

here is my local.rules per howtos:

# ------------
# LOCAL RULES
# ------------
# This file intentionally does not come with signatures.  Put your local
# additions here.
alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001;)

4.

snort.rules is full. i wonder what happens if i cat >> snort.rules to
local.rules lol... jk

5.

what i find interesting is how after i installed pulledpork and ran it,
it works, and when i hit 192.168.1.14 with openvas-client it logs
to /var/log/snort/snort.log, so i assume local.rules AND snort.rules are
working, but i can't tell for sure, as i can not get barnyard2 to import
the info to mysql to take a look at it, since it is unified2 format.. i
think.. can't tell:

# less /var/log/snort/snort.log.1349548617
"/var/log/snort/snort.log.1349548617" may be a binary file.  See it
anyway?

i just know the file size is growing.. good sign snort is working, and i
know it grows when i simply ping 192.168.1.14 from remote host.

6.

I'd like to import data from snort with barnyard2 into say snortreport
or base-1.4.5.

After than I will be able to try my hand at local.rule creation.

i am still stuck with barnyard2 > mysql insertion portion.

anything i willing try at this point, as the howtos do not really
explain more. see attached for howtos i have been using.
also, perms on some dirs were getting non-root perms like:
1210:1210 /etc/snort

7.

suggestions anyone ??? im totally open to suggestions...

more info to follow....



---------- Forwarded message ----------
From: beenph <beenph () gmail com>
To: AllowOverride <allowoverride () gmail com>
Cc:
Date: Sat, 6 Oct 2012 04:31:46 -0400
Subject: Re: [Snort-users] mysql error prevails...
On Fri, Oct 5, 2012 at 5:59 AM, AllowOverride <allowoverride () gmail com>
wrote:

you mean snort.* yes i have


Do you actually read e-mails and links sent to you such as the MySQL
documentation?


By wildcard i didin/t mean * but  %

<SNIP

Also have you tried to wildcard your access for the user you configured?

UPDATE mysql.user SET host="%' WHERE user='YOURCONFIGUREDUSED';

REF: https://dev.mysql.com/doc/refman/5.5/en/adding-users.html

And make sure to flush--privileges/reload before testing .
</SNIP>


And in your Context "YOURCONFIGUREDUSER" should be snort.


------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

--- End Message ---

------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: mysql error prevails..., (continued)
- - - Re: mysql error prevails... AllowOverride (Oct 06)
    - Re: mysql error prevails... beenph (Oct 06)
    - Re: mysql error prevails... AllowOverride (Oct 06)
    - Message not available
    - Re: mysql error prevails... Eric G (Oct 06)
    - Re: mysql error prevails... AllowOverride (Oct 06)
    - Message not available
    - Re: mysql error prevails... AllowOverride (Oct 06)
    - Message not available
    - Re: mysql error prevails... AllowOverride (Oct 06)
    - Message not available
    - Re: mysql error prevails... AllowOverride (Oct 06)
    - Re: mysql error prevails... Jack (Oct 06)
    - Re: mysql error prevails... AllowOverride (Oct 06)
    - Re: mysql error prevails... AllowOverride (Oct 06)
    - Re: mysql error prevails... AllowOverride (Oct 05)
    - Re: mysql error prevails... Peter Bates (Oct 05)
    - Re: mysql error prevails... AllowOverride (Oct 05)
    - Re: mysql error prevails... Peter Bates (Oct 05)
    - Re: mysql error prevails... AllowOverride (Oct 05)
    - Message not available
    - Re: mysql error prevails... AllowOverride (Oct 06)
    - Message not available
    - Re: mysql error prevails... AllowOverride (Oct 06)
    - Re: mysql error prevails... AllowOverride (Oct 05)
    - Re: mysql error prevails... AllowOverride (Oct 05)
    - Re: mysql error prevails... Jeremy Hoel (Oct 04)

(Thread continues...)