[Snort-users] Configure MySQL for multiple snort sensors

Erwin Fok Erwin at ...3172...
Thu Oct 18 07:38:10 EDT 2001


Ok!

What i think u need to do is the following:

shell> mysql --user=root mysql
mysql> INSERT INTO user VALUES('localhost','monty',PASSWORD('some_pass'),
                'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y');

mysql> FLUSH PRIVILEGES;

where in localhost u put the IP of the sensor. Also u need to install some
MYSQL files on the sensor wich are needed for Snort to run.

After that it should work. Or it worked for me!

Please report back if this fixed u problem. So we can see all the solutions
to problems. So other people can also make use of them.

Greetings,

- ---
Erwin Fok   			t  015 - 21 21 907
Fox-IT Forensic IT Experts	f  015 - 21 21 964
Oude Delft 47			e  erwin at ...3172...
2611 BC  Delft			i  www.fox-it.com



-----Oorspronkelijk bericht-----
Van: Joe Pampel [mailto:joe at ...3851...]
Verzonden: woensdag 17 oktober 2001 19:17
Aan: snort-users at lists.sourceforge.net
Onderwerp: [Snort-users] Configure MySQL for multiple snort sensors


Hi - 

I've been trying to get multiple snort sensors to log to a mysql database,
with no luck so far.
I edited the mysql ini file to show the database binding to the machine's IP
(not localhost)
and using port 3306.  In snort.conf I use the same settings (database at
that IP..)
and I created a user on the DB which takes the form of
"sensorname at ...3852...". What I get
when I try to fire up the sensor is an error message which says 
"database: my_sql error: Access denied for user: 'sensorname@<ip address>'
(Using password: YES)
Fatal Error. Quitting.

Now I have set passwords, I did create the user in MySQL.. (maybe I did it
wrong?) I went through the Snort 
FAQ and found nothing on multiple sensor setups. (ideally I'd like to run 4
or more of them).

For now the system (snort/mysql/acid) is running under Win32 until I can get
my 'nix up to speed. 
(I'm having trouble with the libpcap install ok?)  It runs great as one
local sensor reporting to localhost,
but now I want *more*..  Anyhow I would imagine the config issue is common
to both 
platforms. Any pointers, links to docs, cruel mocking laughter, etc all
appreciated. If I find any 
I'll post them to the list.  I'm currently looking at
http://www.mysql.com/doc/A/c/Access_denied.html 
and am hoping it will do the trick but am really hoping to find something
snort specific.. 

TIA,

Joe

btw Snort with the ACID frontend has been a real lifesaver around here for
me. One thing I didn't expect
from it was that it catches odd situations on my network and helps me
proactively fix problems while they
are small.. a nice extra.. 


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list