[Snort-users] ICMP PING speedera

Bruno Gimenes Pereti pereti at ...3411...
Thu Oct 18 08:35:25 EDT 2001


What does "ICMP PING speedera" do? I have a lot of them and never woried
about because they don't look harmfull. But yesterday my bind started dieing
every hour and snort got just this alert and "WEB-MISC http directory
traversal" (I commented out the web-iis.alert from my snort.conf).
Here is the description of one packet (got from ACID):

IP:
  - Ver: 4
  - HdrLen: 5
  - TOS: 0
  - Lenght: 84
  - ID: 304
  - flags: 0
  - offset: 0
  - TTL: 49
  - checksum: 63772

ICMP
  - type: Echo Request
  - code: 0
  - checksum: 422
  - id: 21114
  - seq: 52203

The payload:
length = 56

000 : 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17   ................
010 : 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27   ........ !"#$%&'
020 : 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37   ()*+,-./01234567
030 : 38 39 3A 3B 3C 3D 3E 3F
89:;<=>?

Thank you all.

Bruno Gimenes Pereti.


----- Original Message -----
From: "Erwin Fok" <Erwin at ...3172...>
To: <snort-users at lists.sourceforge.net>
Sent: Thursday, October 18, 2001 11:36 AM
Subject: RE: [Snort-users] Configure MySQL for multiple snort sensors


> Ok!
>
> What i think u need to do is the following:
>
> shell> mysql --user=root mysql
> mysql> INSERT INTO user VALUES('localhost','monty',PASSWORD('some_pass'),
>                 'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y');
>
> mysql> FLUSH PRIVILEGES;
>
> where in localhost u put the IP of the sensor. Also u need to install some
> MYSQL files on the sensor wich are needed for Snort to run.
>
> After that it should work. Or it worked for me!
>
> Please report back if this fixed u problem. So we can see all the
solutions
> to problems. So other people can also make use of them.
>
> Greetings,
>
> - ---
> Erwin Fok   t  015 - 21 21 907
> Fox-IT Forensic IT Experts f  015 - 21 21 964
> Oude Delft 47 e  erwin at ...3172...
> 2611 BC  Delft i  www.fox-it.com
>
>
>
> -----Oorspronkelijk bericht-----
> Van: Joe Pampel [mailto:joe at ...3851...]
> Verzonden: woensdag 17 oktober 2001 19:17
> Aan: snort-users at lists.sourceforge.net
> Onderwerp: [Snort-users] Configure MySQL for multiple snort sensors
>
>
> Hi -
>
> I've been trying to get multiple snort sensors to log to a mysql database,
> with no luck so far.
> I edited the mysql ini file to show the database binding to the machine's
IP
> (not localhost)
> and using port 3306.  In snort.conf I use the same settings (database at
> that IP..)
> and I created a user on the DB which takes the form of
> "sensorname at ...3852...". What I get
> when I try to fire up the sensor is an error message which says
> "database: my_sql error: Access denied for user: 'sensorname@<ip address>'
> (Using password: YES)
> Fatal Error. Quitting.
>
> Now I have set passwords, I did create the user in MySQL.. (maybe I did it
> wrong?) I went through the Snort
> FAQ and found nothing on multiple sensor setups. (ideally I'd like to run
4
> or more of them).
>
> For now the system (snort/mysql/acid) is running under Win32 until I can
get
> my 'nix up to speed.
> (I'm having trouble with the libpcap install ok?)  It runs great as one
> local sensor reporting to localhost,
> but now I want *more*..  Anyhow I would imagine the config issue is common
> to both
> platforms. Any pointers, links to docs, cruel mocking laughter, etc all
> appreciated. If I find any
> I'll post them to the list.  I'm currently looking at
> http://www.mysql.com/doc/A/c/Access_denied.html
> and am hoping it will do the trick but am really hoping to find something
> snort specific..
>
> TIA,
>
> Joe
>
> btw Snort with the ACID frontend has been a real lifesaver around here for
> me. One thing I didn't expect
> from it was that it catches odd situations on my network and helps me
> proactively fix problems while they
> are small.. a nice extra..
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list