[Snort-users] Snort + Acid w/ MySQL question(s)

roman at ...438... roman at ...438...
Fri May 11 22:04:40 EDT 2001


This is because you are trying to redefine the built in facility
alert.  Scroll further down in the sample config file  until 
you find the text:

# database: log to a variety of databases
# ---------------------------------------
# See the README.database file for more information about configuring
# and using this plugin.
#
# output database: log, mysql, user=root password=test dbname=snort17 host=localhost
# output database: log, postgresql, user=snort dbname=snort
# output database: log, unixodbc, user=snort dbname=snort

Uncomment and configure one of these database config lines.

Roman

> if i change ruletype from redalert to alert or to log i get this
> 
> ......
> Initializing rule chains...
> ERROR line /usr/local/bin/snort.conf (215): Duplicate keyword: alert
> su-2.04#
> 
> 
> ----- Original Message -----
> From: <roman at ...438...>
> To: "alexus" <ml at ...1718...>
> Cc: <snort-users at lists.sourceforge.net>
> Sent: Friday, May 11, 2001 11:50 AM
> Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)
> 
> 
> > Do you have rules which trigger on the facility "redalert".  The
> > default rules typically are "alert" or "log".
> >
> > Roman
> >
> > > i used this file to create rest of tables, now all tables seems to be
> > > inplace
> > > although still there are some strange things are happening:
> > >
> > > when i go to http://box.nexgen.com/acid/
> > >
> > > i dont see anything anything, i mean no data, that snort should've put
> into
> > > database... any ideas?
> > >
> > > that's part of my snort.conf about mysql db.
> > >
> > > ruletype redalert
> > > {
> > >   type alert
> > >   output alert_syslog: LOG_AUTH LOG_ALERT
> > >   output database: log, mysql, user=xxx dbname=xxx host=localhost
> > > password=xxx
> > > }
> > >
> > >
> > > ----- Original Message -----
> > > From: <roman at ...438...>
> > > To: "alexus" <ml at ...1718...>
> > > Cc: <snort-users at lists.sourceforge.net>
> > > Sent: Thursday, May 10, 2001 5:23 PM
> > > Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)
> > >
> > >
> > > > OK, lets avoid the automated table creation for now.  Try running
> > > > the SQL manually (create_acid_tbls_mysql.sql)
> > > >
> > > > Roman
> > > >
> > > > > mysql> select * from user where user='alexus';
> > > > >
> > >
> +-----------+--------+------------------+-------------+-------------+-------
> > > >
> > >
> > ------+-------------+-------------+-----------+-------------+-------------
> > > --
> > > > >
> > >
> +--------------+-----------+------------+-----------------+------------+----
> > > > > --------+
> > > > > | Host      | User   | Password         | Select_priv | Insert_priv
> |
> > > > > Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv |
> > > > > Shutdown_priv | Process_priv | File_priv | Grant_priv |
> References_priv
> > > |
> > > > > Index_priv | Alter_priv |
> > > > >
> > >
> +-----------+--------+------------------+-------------+-------------+-------
> > > >
> > >
> > ------+-------------+-------------+-----------+-------------+-------------
> > > --
> > > > >
> > >
> +--------------+-----------+------------+-----------------+------------+----
> > > > > --------+
> > > > > | localhost | alexus | 34484ed463a66850 | Y           | Y
> | N
> > > > > | Y           | N           | N         | N           | N
> |
> > > N
> > > > > | N         | N          | N               | N          | N
> |
> > > > >
> > >
> +-----------+--------+------------------+-------------+-------------+-------
> > > >
> > >
> > ------+-------------+-------------+-----------+-------------+-------------
> > > --
> > > > >
> > >
> +--------------+-----------+------------+-----------------+------------+----
> > > > > --------+
> > > > > 1 row in set (0.00 sec)
> > > > >
> > > > > mysql>
> > > > >
> > > > >
> > > > > i copy and paste mysql output to show you that i do have all right
> > > > > privileges
> > > > >
> > > > > i also upgrade acid to 0.9.6b9 (which is latest beta for today)
> > > > >
> > > > > it still doesn't work
> > > > >
> > > > > ----- Original Message -----
> > > > > From: <roman at ...438...>
> > > > > To: "alexus" <ml at ...1718...>
> > > > > Cc: <snort-users at lists.sourceforge.net>
> > > > > Sent: Thursday, May 10, 2001 11:18 AM
> > > > > Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)
> > > > >
> > > > >
> > > > > > One observation:
> > > > > >
> > > > > > - ACID 0.9.5 does not use ADODB.  This DB abstraction was
> > > > > > introduced in 0.9.6b2 (Jan 2001).  Hence, this addition into
> > > > > > acid_conf.php will be ignored.
> > > > > >
> > > > > > Two recommendations:
> > > > > >
> > > > > > - are you sure that you have CREATE permissions on the DB
> > > > > > user set in acid_conf.php?  If all else fails, try using the
> > > > > > "create_acid_tbls_mysql.sql" to manually create the ACID
> > > > > > tables.
> > > > > >
> > > > > > - upgrade to a more recent version of ACID => 0.9.6b9.  There
> > > > > > are significant feature improvements as well as bug fixes.  If you
> > > > > > prefer an older version, upgrade to at least 0.9.6b1 for it has
> > > > > > a number of important bug fixes
> > > > > >
> > > > > > cheers,
> > > > > > Roman
> > > > > >
> > > > > > > I'm using the following:
> > > > > > >
> > > > > > > FreeBSD 4.3 - RELEASE (STABLE)
> > > > > > > ACID-0.9.5 - RELEASE (STABLE)
> > > > > > > ADODB v1.0.1 - RELEASE (STABLE)
> > > > > > > PHP - 4.0.5 - RELEASE (STABLE)
> > > > > > > APACHE - 1.3.19 - RELEASE (STABLE)
> > > > > > > SNORT - 1.7 - RELEASE (STABLE)
> > > > > > >
> > > > > > > to compile snort i used following line:
> > > > > > > ../configure --with-mysql=/usr/local/mysql;make;make install
> > > > > > >
> > > > > > > i did change acid_conf.php i put path to adodb
> > > > > > >
> > > > > > > in adodb
> > > > > > >
> > > > > > > i put local path in adodb.inc.php
> > > > > > >
> > > > > > > when i go to http://localhost/acid it redirects me to
> acid_main.php
> > > and
> > > > > when
> > > > > > > it gets there i get this:
> > > > > > >
> > > > > > > The underlying database alexus at ...274... apears to be invalid.
> > > > > > >
> > > > > > > The database version is valid, but the ACID DB structure (table:
> > > > > acid_ag) is
> > > > > > > not present. Use the Setup page to configure and optimize the DB
> > > > > > >
> > > > > > > when i click on "Setup page"
> > > > > > >
> > > > > > > in status window i get "DONE" for "Search Indexes" and i have
> > > "Create
> > > > > ACID
> > > > > > > AG" for "ACID tables" i'm assuming i need to click on "Create
> ACID
> > > AG",
> > > > > when
> > > > > > > I do that nothing happenes, it won't disappear or it won't
> change
> > > status
> > > > > to
> > > > > > > "DONE".. what am i missing?
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > Snort-users mailing list
> > > > > > > Snort-users at lists.sourceforge.net
> > > > > > > Go to this URL to change user options or unsubscribe:
> > > > > > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > > > Snort-users list archive:
> > > > > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > ---------------------------------------------
> > > > > > This message was sent using Voicenet WebMail.
> > > > > >       http://www.voicenet.com/webmail/
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > ---------------------------------------------
> > > > This message was sent using Voicenet WebMail.
> > > >       http://www.voicenet.com/webmail/
> > > >
> > > >
> > > >
> > >
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> >
> >
> >
> > ---------------------------------------------
> > This message was sent using Voicenet WebMail.
> >       http://www.voicenet.com/webmail/
> >
> >
> >
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 



---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/






More information about the Snort-users mailing list