[Snort-users] Snort + Acid w/ MySQL question(s)

roman at ...438... roman at ...438...
Sat May 12 01:22:51 EDT 2001


The debug information will be generated inline to the reponse
page.  Everything is browser based.

Roman

> after i enable that debug.. where should this debug go to? some file? or
> where should i look for debug messages?
> 
> here is from mysql client
> 
> mysql> show tables;
> +------------------+
> | Tables_in_alexus |
> +------------------+
> | acid_ag          |
> | acid_ag_alert    |
> | data             |
> | detail           |
> | encoding         |
> | event            |
> | icmphdr          |
> | iphdr            |
> | opt              |
> | sensor           |
> | tcphdr           |
> | udphdr           |
> +------------------+
> 12 rows in set (0.00 sec)
> 
> mysql> desc iphdr;
> +----------+----------------------+------+-----+---------+-------+
> | Field    | Type                 | Null | Key | Default | Extra |
> +----------+----------------------+------+-----+---------+-------+
> | sid      | int(10) unsigned     |      | PRI | 0       |       |
> | cid      | int(10) unsigned     |      | PRI | 0       |       |
> | ip_src   | int(10) unsigned     |      | MUL | 0       |       |
> | ip_src0  | tinyint(3) unsigned  | YES  |     | NULL    |       |
> | ip_src1  | tinyint(3) unsigned  | YES  |     | NULL    |       |
> | ip_src2  | tinyint(3) unsigned  | YES  |     | NULL    |       |
> | ip_src3  | tinyint(3) unsigned  | YES  |     | NULL    |       |
> | ip_dst   | int(10) unsigned     |      | MUL | 0       |       |
> | ip_dst0  | tinyint(3) unsigned  | YES  |     | NULL    |       |
> | ip_dst1  | tinyint(3) unsigned  | YES  |     | NULL    |       |
> | ip_dst2  | tinyint(3) unsigned  | YES  |     | NULL    |       |
> | ip_dst3  | tinyint(3) unsigned  | YES  |     | NULL    |       |
> | ip_ver   | tinyint(3) unsigned  | YES  |     | NULL    |       |
> | ip_hlen  | tinyint(3) unsigned  | YES  |     | NULL    |       |
> | ip_tos   | tinyint(3) unsigned  | YES  |     | NULL    |       |
> | ip_len   | smallint(5) unsigned | YES  |     | NULL    |       |
> | ip_id    | smallint(5) unsigned | YES  |     | NULL    |       |
> | ip_flags | tinyint(3) unsigned  | YES  |     | NULL    |       |
> | ip_off   | smallint(5) unsigned | YES  |     | NULL    |       |
> | ip_ttl   | tinyint(3) unsigned  | YES  |     | NULL    |       |
> | ip_proto | tinyint(3) unsigned  |      |     | 0       |       |
> | ip_csum  | smallint(5) unsigned | YES  |     | NULL    |       |
> +----------+----------------------+------+-----+---------+-------+
> 22 rows in set (0.01 sec)
> 
> mysql>
> 
> ----- Original Message -----
> From: <roman at ...438...>
> To: "alexus" <ml at ...1718...>
> Cc: <snort-users at lists.sourceforge.net>
> Sent: Friday, May 11, 2001 8:16 PM
> Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)
> 
> 
> > Sorry.  I forgot that you sent a URL a couple of messages ago.
> > I loaded 0.9.6b9 with a schema v0 database, and did not get
> > the error.
> >
> > 1.  Enable ACID debugging by changing $debug_mode=1
> > (in acid_conf.php)
> > 2.  From the mysql client:
> >
> > mysql> show tables;
> > mysql> desc iphdr;
> >
> > Roman
> >
> > > What version of ACID are you running.  If you are not running
> > > 0.9.6b9, try to upgrading.
> > >
> > > Roman
> > >
> > > > although couple thing still remaining/bothering me
> > > >
> > > > from acid_main.php
> > > >
> > > > whenever I click on Source IP address or Dest IP address I get
> following
> > > > error:
> > > >
> > > > Database ERROR:Unknown column 'ip_src0' in 'field list'
> > > >
> > > > what am I missing now?
> > > >
> > > > ----- Original Message -----
> > > > From: "alexus" <ml at ...1718...>
> > > > To: <roman at ...438...>
> > > > Cc: <snort-users at lists.sourceforge.net>
> > > > Sent: Friday, May 11, 2001 10:15 PM
> > > > Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)
> > > >
> > > >
> > > > > that's it! now it's working just fine! thanks a lot !
> > > > >
> > > > > ----- Original Message -----
> > > > > From: <roman at ...438...>
> > > > > To: "alexus" <ml at ...1718...>
> > > > > Cc: <snort-users at lists.sourceforge.net>
> > > > > Sent: Friday, May 11, 2001 6:04 PM
> > > > > Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)
> > > > >
> > > > >
> > > > > > This is because you are trying to redefine the built in facility
> > > > > > alert.  Scroll further down in the sample config file  until
> > > > > > you find the text:
> > > > > >
> > > > > > # database: log to a variety of databases
> > > > > > # ---------------------------------------
> > > > > > # See the README.database file for more information about
> configuring
> > > > > > # and using this plugin.
> > > > > > #
> > > > > > # output database: log, mysql, user=root password=test
> dbname=snort17
> > > > > host=localhost
> > > > > > # output database: log, postgresql, user=snort dbname=snort
> > > > > > # output database: log, unixodbc, user=snort dbname=snort
> > > > > >
> > > > > > Uncomment and configure one of these database config lines.
> > > > > >
> > > > > > Roman
> > > > > >
> > > > > > > if i change ruletype from redalert to alert or to log i get this
> > > > > > >
> > > > > > > ......
> > > > > > > Initializing rule chains...
> > > > > > > ERROR line /usr/local/bin/snort.conf (215): Duplicate keyword:
> alert
> > > > > > > su-2.04#
> > > > > > >
> > > > > > >
> > > > > > > ----- Original Message -----
> > > > > > > From: <roman at ...438...>
> > > > > > > To: "alexus" <ml at ...1718...>
> > > > > > > Cc: <snort-users at lists.sourceforge.net>
> > > > > > > Sent: Friday, May 11, 2001 11:50 AM
> > > > > > > Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)
> > > > > > >
> > > > > > >
> > > > > > > > Do you have rules which trigger on the facility "redalert".
> The
> > > > > > > > default rules typically are "alert" or "log".
> > > > > > > >
> > > > > > > > Roman
> > > > > > > >
> > > > > > > > > i used this file to create rest of tables, now all tables
> seems to
> > > > > be
> > > > > > > > > inplace
> > > > > > > > > although still there are some strange things are happening:
> > > > > > > > >
> > > > > > > > > when i go to http://box.nexgen.com/acid/
> > > > > > > > >
> > > > > > > > > i dont see anything anything, i mean no data, that snort
> should've
> > > > > put
> > > > > > > into
> > > > > > > > > database... any ideas?
> > > > > > > > >
> > > > > > > > > that's part of my snort.conf about mysql db.
> > > > > > > > >
> > > > > > > > > ruletype redalert
> > > > > > > > > {
> > > > > > > > >   type alert
> > > > > > > > >   output alert_syslog: LOG_AUTH LOG_ALERT
> > > > > > > > >   output database: log, mysql, user=xxx dbname=xxx
> host=localhost
> > > > > > > > > password=xxx
> > > > > > > > > }
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > ----- Original Message -----
> > > > > > > > > From: <roman at ...438...>
> > > > > > > > > To: "alexus" <ml at ...1718...>
> > > > > > > > > Cc: <snort-users at lists.sourceforge.net>
> > > > > > > > > Sent: Thursday, May 10, 2001 5:23 PM
> > > > > > > > > Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > > OK, lets avoid the automated table creation for now.  Try
> > > > running
> > > > > > > > > > the SQL manually (create_acid_tbls_mysql.sql)
> > > > > > > > > >
> > > > > > > > > > Roman
> > > > > > > > > >
> > > > > > > > > > > mysql> select * from user where user='alexus';
> > > > > > > > > > >
> > > > > > > > >
> > > > > > >
> > > > >
> > > >
> +-----------+--------+------------------+-------------+-------------+-------
> > > > > > > > > >
> > > > > > > > >
> > > > > > >
> > > > >
> > > >
> > ------+-------------+-------------+-----------+-------------+-------------
> > > > > > > > > --
> > > > > > > > > > >
> > > > > > > > >
> > > > > > >
> > > > >
> > > >
> +--------------+-----------+------------+-----------------+------------+----
> > > > > > > > > > > --------+
> > > > > > > > > > > | Host      | User   | Password         | Select_priv |
> > > > > Insert_priv
> > > > > > > |
> > > > > > > > > > > Update_priv | Delete_priv | Create_priv | Drop_priv |
> > > > > Reload_priv |
> > > > > > > > > > > Shutdown_priv | Process_priv | File_priv | Grant_priv |
> > > > > > > References_priv
> > > > > > > > > |
> > > > > > > > > > > Index_priv | Alter_priv |
> > > > > > > > > > >
> > > > > > > > >
> > > > > > >
> > > > >
> > > >
> +-----------+--------+------------------+-------------+-------------+-------
> > > > > > > > > >
> > > > > > > > >
> > > > > > >
> > > > >
> > > >
> > ------+-------------+-------------+-----------+-------------+-------------
> > > > > > > > > --
> > > > > > > > > > >
> > > > > > > > >
> > > > > > >
> > > > >
> > > >
> +--------------+-----------+------------+-----------------+------------+----
> > > > > > > > > > > --------+
> > > > > > > > > > > | localhost | alexus | 34484ed463a66850 | Y           |
> Y
> > > > > > > | N
> > > > > > > > > > > | Y           | N           | N         | N           |
> N
> > > > > > > |
> > > > > > > > > N
> > > > > > > > > > > | N         | N          | N               | N
> | N
> > > > > > > |
> > > > > > > > > > >
> > > > > > > > >
> > > > > > >
> > > > >
> > > >
> +-----------+--------+------------------+-------------+-------------+-------
> > > > > > > > > >
> > > > > > > > >
> > > > > > >
> > > > >
> > > >
> > ------+-------------+-------------+-----------+-------------+-------------
> > > > > > > > > --
> > > > > > > > > > >
> > > > > > > > >
> > > > > > >
> > > > >
> > > >
> +--------------+-----------+------------+-----------------+------------+----
> > > > > > > > > > > --------+
> > > > > > > > > > > 1 row in set (0.00 sec)
> > > > > > > > > > >
> > > > > > > > > > > mysql>
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > i copy and paste mysql output to show you that i do have
> all
> > > > > right
> > > > > > > > > > > privileges
> > > > > > > > > > >
> > > > > > > > > > > i also upgrade acid to 0.9.6b9 (which is latest beta for
> > > > today)
> > > > > > > > > > >
> > > > > > > > > > > it still doesn't work
> > > > > > > > > > >
> > > > > > > > > > > ----- Original Message -----
> > > > > > > > > > > From: <roman at ...438...>
> > > > > > > > > > > To: "alexus" <ml at ...1718...>
> > > > > > > > > > > Cc: <snort-users at lists.sourceforge.net>
> > > > > > > > > > > Sent: Thursday, May 10, 2001 11:18 AM
> > > > > > > > > > > Subject: Re: [Snort-users] Snort + Acid w/ MySQL
> question(s)
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > > One observation:
> > > > > > > > > > > >
> > > > > > > > > > > > - ACID 0.9.5 does not use ADODB.  This DB abstraction
> was
> > > > > > > > > > > > introduced in 0.9.6b2 (Jan 2001).  Hence, this
> addition into
> > > > > > > > > > > > acid_conf.php will be ignored.
> > > > > > > > > > > >
> > > > > > > > > > > > Two recommendations:
> > > > > > > > > > > >
> > > > > > > > > > > > - are you sure that you have CREATE permissions on the
> DB
> > > > > > > > > > > > user set in acid_conf.php?  If all else fails, try
> using the
> > > > > > > > > > > > "create_acid_tbls_mysql.sql" to manually create the
> ACID
> > > > > > > > > > > > tables.
> > > > > > > > > > > >
> > > > > > > > > > > > - upgrade to a more recent version of ACID => 0.9.6b9.
> > > > There
> > > > > > > > > > > > are significant feature improvements as well as bug
> fixes.
> > > > If
> > > > > you
> > > > > > > > > > > > prefer an older version, upgrade to at least 0.9.6b1
> for it
> > > > > has
> > > > > > > > > > > > a number of important bug fixes
> > > > > > > > > > > >
> > > > > > > > > > > > cheers,
> > > > > > > > > > > > Roman
> > > > > > > > > > > >
> > > > > > > > > > > > > I'm using the following:
> > > > > > > > > > > > >
> > > > > > > > > > > > > FreeBSD 4.3 - RELEASE (STABLE)
> > > > > > > > > > > > > ACID-0.9.5 - RELEASE (STABLE)
> > > > > > > > > > > > > ADODB v1.0.1 - RELEASE (STABLE)
> > > > > > > > > > > > > PHP - 4.0.5 - RELEASE (STABLE)
> > > > > > > > > > > > > APACHE - 1.3.19 - RELEASE (STABLE)
> > > > > > > > > > > > > SNORT - 1.7 - RELEASE (STABLE)
> > > > > > > > > > > > >
> > > > > > > > > > > > > to compile snort i used following line:
> > > > > > > > > > > > > ../configure --with-mysql=/usr/local/mysql;make;make
> > > > install
> > > > > > > > > > > > >
> > > > > > > > > > > > > i did change acid_conf.php i put path to adodb
> > > > > > > > > > > > >
> > > > > > > > > > > > > in adodb
> > > > > > > > > > > > >
> > > > > > > > > > > > > i put local path in adodb.inc.php
> > > > > > > > > > > > >
> > > > > > > > > > > > > when i go to http://localhost/acid it redirects me
> to
> > > > > > > acid_main.php
> > > > > > > > > and
> > > > > > > > > > > when
> > > > > > > > > > > > > it gets there i get this:
> > > > > > > > > > > > >
> > > > > > > > > > > > > The underlying database alexus at ...274... apears to
> be
> > > > > invalid.
> > > > > > > > > > > > >
> > > > > > > > > > > > > The database version is valid, but the ACID DB
> structure
> > > > > (table:
> > > > > > > > > > > acid_ag) is
> > > > > > > > > > > > > not present. Use the Setup page to configure and
> optimize
> > > > > the DB
> > > > > > > > > > > > >
> > > > > > > > > > > > > when i click on "Setup page"
> > > > > > > > > > > > >
> > > > > > > > > > > > > in status window i get "DONE" for "Search Indexes"
> and i
> > > > > have
> > > > > > > > > "Create
> > > > > > > > > > > ACID
> > > > > > > > > > > > > AG" for "ACID tables" i'm assuming i need to click
> on
> > > > > "Create
> > > > > > > ACID
> > > > > > > > > AG",
> > > > > > > > > > > when
> > > > > > > > > > > > > I do that nothing happenes, it won't disappear or it
> won't
> > > > > > > change
> > > > > > > > > status
> > > > > > > > > > > to
> > > > > > > > > > > > > "DONE".. what am i missing?
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > _______________________________________________
> > > > > > > > > > > > > Snort-users mailing list
> > > > > > > > > > > > > Snort-users at lists.sourceforge.net
> > > > > > > > > > > > > Go to this URL to change user options or
> unsubscribe:
> > > > > > > > > > > > >
> http://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > > > > > > > > > Snort-users list archive:
> > > > > > > > > > > > >
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > ---------------------------------------------
> > > > > > > > > > > > This message was sent using Voicenet WebMail.
> > > > > > > > > > > >       http://www.voicenet.com/webmail/
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > ---------------------------------------------
> > > > > > > > > > This message was sent using Voicenet WebMail.
> > > > > > > > > >       http://www.voicenet.com/webmail/
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > _______________________________________________
> > > > > > > > > Snort-users mailing list
> > > > > > > > > Snort-users at lists.sourceforge.net
> > > > > > > > > Go to this URL to change user options or unsubscribe:
> > > > > > > > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > > > > > Snort-users list archive:
> > > > > > > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > ---------------------------------------------
> > > > > > > > This message was sent using Voicenet WebMail.
> > > > > > > >       http://www.voicenet.com/webmail/
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > Snort-users mailing list
> > > > > > > Snort-users at lists.sourceforge.net
> > > > > > > Go to this URL to change user options or unsubscribe:
> > > > > > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > > > Snort-users list archive:
> > > > > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > ---------------------------------------------
> > > > > > This message was sent using Voicenet WebMail.
> > > > > >       http://www.voicenet.com/webmail/
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> > >
> > > ---------------------------------------------
> > > This message was sent using Voicenet WebMail.
> > >       http://www.voicenet.com/webmail/
> > >
> > >
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> >
> >
> >
> > ---------------------------------------------
> > This message was sent using Voicenet WebMail.
> >       http://www.voicenet.com/webmail/
> >
> >
> >
> 
> 



---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/






More information about the Snort-users mailing list