[Snort-users] Snort + Acid w/ MySQL question(s)

alexus ml at ...1718...
Fri May 11 19:43:44 EDT 2001


if i change ruletype from redalert to alert or to log i get this

.....
Initializing rule chains...
ERROR line /usr/local/bin/snort.conf (215): Duplicate keyword: alert
su-2.04#


----- Original Message -----
From: <roman at ...438...>
To: "alexus" <ml at ...1718...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Friday, May 11, 2001 11:50 AM
Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)


> Do you have rules which trigger on the facility "redalert".  The
> default rules typically are "alert" or "log".
>
> Roman
>
> > i used this file to create rest of tables, now all tables seems to be
> > inplace
> > although still there are some strange things are happening:
> >
> > when i go to http://box.nexgen.com/acid/
> >
> > i dont see anything anything, i mean no data, that snort should've put
into
> > database... any ideas?
> >
> > that's part of my snort.conf about mysql db.
> >
> > ruletype redalert
> > {
> >   type alert
> >   output alert_syslog: LOG_AUTH LOG_ALERT
> >   output database: log, mysql, user=xxx dbname=xxx host=localhost
> > password=xxx
> > }
> >
> >
> > ----- Original Message -----
> > From: <roman at ...438...>
> > To: "alexus" <ml at ...1718...>
> > Cc: <snort-users at lists.sourceforge.net>
> > Sent: Thursday, May 10, 2001 5:23 PM
> > Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)
> >
> >
> > > OK, lets avoid the automated table creation for now.  Try running
> > > the SQL manually (create_acid_tbls_mysql.sql)
> > >
> > > Roman
> > >
> > > > mysql> select * from user where user='alexus';
> > > >
> >
+-----------+--------+------------------+-------------+-------------+-------
> > >
> >
> ------+-------------+-------------+-----------+-------------+-------------
> > --
> > > >
> >
+--------------+-----------+------------+-----------------+------------+----
> > > > --------+
> > > > | Host      | User   | Password         | Select_priv | Insert_priv
|
> > > > Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv |
> > > > Shutdown_priv | Process_priv | File_priv | Grant_priv |
References_priv
> > |
> > > > Index_priv | Alter_priv |
> > > >
> >
+-----------+--------+------------------+-------------+-------------+-------
> > >
> >
> ------+-------------+-------------+-----------+-------------+-------------
> > --
> > > >
> >
+--------------+-----------+------------+-----------------+------------+----
> > > > --------+
> > > > | localhost | alexus | 34484ed463a66850 | Y           | Y
| N
> > > > | Y           | N           | N         | N           | N
|
> > N
> > > > | N         | N          | N               | N          | N
|
> > > >
> >
+-----------+--------+------------------+-------------+-------------+-------
> > >
> >
> ------+-------------+-------------+-----------+-------------+-------------
> > --
> > > >
> >
+--------------+-----------+------------+-----------------+------------+----
> > > > --------+
> > > > 1 row in set (0.00 sec)
> > > >
> > > > mysql>
> > > >
> > > >
> > > > i copy and paste mysql output to show you that i do have all right
> > > > privileges
> > > >
> > > > i also upgrade acid to 0.9.6b9 (which is latest beta for today)
> > > >
> > > > it still doesn't work
> > > >
> > > > ----- Original Message -----
> > > > From: <roman at ...438...>
> > > > To: "alexus" <ml at ...1718...>
> > > > Cc: <snort-users at lists.sourceforge.net>
> > > > Sent: Thursday, May 10, 2001 11:18 AM
> > > > Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)
> > > >
> > > >
> > > > > One observation:
> > > > >
> > > > > - ACID 0.9.5 does not use ADODB.  This DB abstraction was
> > > > > introduced in 0.9.6b2 (Jan 2001).  Hence, this addition into
> > > > > acid_conf.php will be ignored.
> > > > >
> > > > > Two recommendations:
> > > > >
> > > > > - are you sure that you have CREATE permissions on the DB
> > > > > user set in acid_conf.php?  If all else fails, try using the
> > > > > "create_acid_tbls_mysql.sql" to manually create the ACID
> > > > > tables.
> > > > >
> > > > > - upgrade to a more recent version of ACID => 0.9.6b9.  There
> > > > > are significant feature improvements as well as bug fixes.  If you
> > > > > prefer an older version, upgrade to at least 0.9.6b1 for it has
> > > > > a number of important bug fixes
> > > > >
> > > > > cheers,
> > > > > Roman
> > > > >
> > > > > > I'm using the following:
> > > > > >
> > > > > > FreeBSD 4.3 - RELEASE (STABLE)
> > > > > > ACID-0.9.5 - RELEASE (STABLE)
> > > > > > ADODB v1.0.1 - RELEASE (STABLE)
> > > > > > PHP - 4.0.5 - RELEASE (STABLE)
> > > > > > APACHE - 1.3.19 - RELEASE (STABLE)
> > > > > > SNORT - 1.7 - RELEASE (STABLE)
> > > > > >
> > > > > > to compile snort i used following line:
> > > > > > ../configure --with-mysql=/usr/local/mysql;make;make install
> > > > > >
> > > > > > i did change acid_conf.php i put path to adodb
> > > > > >
> > > > > > in adodb
> > > > > >
> > > > > > i put local path in adodb.inc.php
> > > > > >
> > > > > > when i go to http://localhost/acid it redirects me to
acid_main.php
> > and
> > > > when
> > > > > > it gets there i get this:
> > > > > >
> > > > > > The underlying database alexus at ...274... apears to be invalid.
> > > > > >
> > > > > > The database version is valid, but the ACID DB structure (table:
> > > > acid_ag) is
> > > > > > not present. Use the Setup page to configure and optimize the DB
> > > > > >
> > > > > > when i click on "Setup page"
> > > > > >
> > > > > > in status window i get "DONE" for "Search Indexes" and i have
> > "Create
> > > > ACID
> > > > > > AG" for "ACID tables" i'm assuming i need to click on "Create
ACID
> > AG",
> > > > when
> > > > > > I do that nothing happenes, it won't disappear or it won't
change
> > status
> > > > to
> > > > > > "DONE".. what am i missing?
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > _______________________________________________
> > > > > > Snort-users mailing list
> > > > > > Snort-users at lists.sourceforge.net
> > > > > > Go to this URL to change user options or unsubscribe:
> > > > > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > > Snort-users list archive:
> > > > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > ---------------------------------------------
> > > > > This message was sent using Voicenet WebMail.
> > > > >       http://www.voicenet.com/webmail/
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> > >
> > > ---------------------------------------------
> > > This message was sent using Voicenet WebMail.
> > >       http://www.voicenet.com/webmail/
> > >
> > >
> > >
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
>
> ---------------------------------------------
> This message was sent using Voicenet WebMail.
>       http://www.voicenet.com/webmail/
>
>
>





More information about the Snort-users mailing list