[Snort-users] RE: [PMX:#] IIS_unicode error when running snort Snort-users digest, Vol 1 #4499 - 3 msgs

Yaasin Lutta yaasin at ...12356...
Mon Aug 30 07:50:16 EDT 2004


My Installation of snort is fine when I attempt to run snort -c
/etc/snort/snort.conf -l /var/snort/log 

I get a IIS_UNICODE error, can anyone point me to where this has to be
directed to in the snort.conf file?? It's driving me batty!! Running on
linux RH9.

Help!!


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
snort-users-request at lists.sourceforge.net
Sent: Monday, 30 August 2004 9:18 AM
To: snort-users at lists.sourceforge.net
Subject: [PMX:#] Snort-users digest, Vol 1 #4499 - 3 msgs

Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Re: Snort and MySQL [SOLVED MAYBE] (Robert Spangler)
   2. Re: glibc dependency errors installing snort (James Riden)
   3. Snort and MySQL (FAzle Rokib)

--__--__--

Message: 1
From: Robert Spangler <bms at ...4832...>
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort and MySQL [SOLVED MAYBE]
Date: Sun, 29 Aug 2004 20:02:29 -0400

On Sun August 29 2004 13:35, Robert Spangler wrote:

>  I seem to be having a problem setting up snort to use MySQL database.

I had an error in my snort.conf file

>  snort.conf has the following entry:
>
>  ===================================================
>  output database: log, MySQL, user=snort, password=********
dbname=snort
>  host=localhost
>  ===================================================

The above was placed in the wrong area of the config.  When this was
corrected 
snort seemed to run without any problems.


NOW


I don't think things are running correctly.  I run a scan against my
machine 
using CIS and it does it's reporting but I never see anything in ACID or

OpenAanval.

I used the following quick setup guide written by Patrick Harper at 
http://www.internetsecurityguru.com/


-- 

Regards
Robert

Smile.....  It increases your face value.



--__--__--

Message: 2
To: "Andy" <andy at ...12349...>
Cc: <snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] glibc dependency errors installing snort
From: James Riden <j.riden at ...11179...>
Date: Mon, 30 Aug 2004 12:18:48 +1200

"Andy" <andy at ...12349...> writes:

> Hi,
> I'm having problems installing snort, I'm getting glibc dependency
errors.
> I running RedHat 7.3, trying to install snort-2.1.3-1.i386.rpm
>
> I can't find a newer version of glibc other than 2.2.5 and really
don't know
> what I'm doing anyway.
>
> Am I having these problems because I'm running RH 7.3? Does snort
2.1.3-1
> run on RH 7.3?
>
> Should I be installing a different package?
>
> [root at ...12350... snort]# rpm -ivh [root at ...12350... snort]# rpm -ivh
> snort-2.1.3-1.i386.rpm
> error: failed dependencies:
>         libc.so.6(GLIBC_2.3)   is needed by snort-2.1.3-1

I'd go to Fedora Core 1 at least if you can. I've done an upgrade from
7.3 to FC1 and it went OK, and snort 2.2.0 is happily working on that
machine.

Otherwise, try getting the appropriate rpms from here:
http://dag.wieers.com/packages/snort/

cheers,
 Jamie
-- 
James Riden / j.riden at ...11179... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/



--__--__--

Message: 3
From: "FAzle Rokib" <rokib at ...12351...>
To: <snort-users at lists.sourceforge.net>
Date: Sun, 29 Aug 2004 21:16:13 -0400
Subject: [Snort-users] Snort and MySQL

This is a multi-part message in MIME format.

------=_NextPart_000_0030_01C48E0D.6A360260
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Try this:

mysql> Grant All On snort.* to  snort at ...274...<mailto:snort at ...274...>;

or (if you have a password for snort user)=20

mysql> Grant All On snort.* to snort at ...274...<mailto:snort at ...274...> =
Identified By 'password';

[****If you have a password for snort user, you must use Identified By =
clause]

Message: 1
From: "Michael Steele" =
<michaels at ...9077...<mailto:michaels at ...9077...>>
To: =
<snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...
n=
et>>
Subject: RE: [Snort-users] Snort and MySQL
Date: Sun, 29 Aug 2004 11:52:02 -0700

Looks like you have no access to the Snort database. Go back and make =
SURE
you can access the database with the credentials that you have in the
snort.conf file on the MySQL output database line.

Kindest regards,=20
Michael...

WINSNORT.com Management Team Member
--=20
Pick up your FREE Windows or UNIX Snort installation guides      =20
mailto:support at ...9077...<mailto:support at ...9077...>
Website: http://www.winsnort.com<http://www.winsnort.com/>
Snort: Open Source Network IDS - =
http://www.snort.org<http://www.snort.org/>


> -----Original Message-----
> From: =
snort-users-admin at lists.sourceforge.net<mailto:snort-users-admin at ...1844...
o=
urceforge.net> [mailto:snort-users-
> admin at lists.sourceforge.net<mailto:admin at lists.sourceforge.net>] On =
Behalf Of Robert Spangler
> Sent: Sunday, August 29, 2004 10:35 AM
> To: =
snort-users at lists.sourceforge.net<mailto:snort-users at ...973...
e=
t>
> Subject: [Snort-users] Snort and MySQL
>=20
> Hello,
>=20
> I seem to be having a problem setting up snort to use MySQL database.
>=20
> When I run 'snort -c /etc/snort/snort.conf'  I get the following:
>=20
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D
> Running in IDS mode
> Log directory =3D /var/log/snort
>=20
> Initializing Network Interface eth0
>=20
>         --=3D=3D Initializing Snort =3D=3D--
> Initializing Output Plugins!
> Decoding Ethernet on interface eth0
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file /etc/snort/snort.conf
>=20
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> database: compiled support for ( MySQL )
> database: configured to use MySQL
> database:          user =3D snort
> database: database name =3D snort
> database:          host =3D localhost
> database:   sensor name =3D 192.168.1.100
> ERROR: database: MySQL_error: Access denied for user: =
'snort at ...274...'<mailto:'snort at ...274...'>
> (Using
> password: NO)
> Fatal Error, Quitting..
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D
>=20
>=20
> snort.conf has the following entry:
>=20
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D
> output database: log, MySQL, user=3Dsnort, password=3D******** =
dbname=3Dsnort
> host=3Dlocalhost
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D
>=20
>=20
> MySQL was setup using this line for snort:
>=20
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D
> grant INSERT,SELECT on root.* to =
snort at ...274...<mailto:snort at ...274...>;
> SET PASSWORD FOR =
snort at ...274...=3DPASSOWRD('********'<mailto:snort at ...274...=3DPASSOWRD(
'=
********'>);
> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to =
snort at ...274...<mailto:snort at ...274...>;
> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D
>=20
> This was a step by step guide I had followed to set this up.  I'm =
hoping
> someone might be able to see what I'm missing.  Thnx
>=20
> --
>=20
> Regards
> Robert
>=20
> Smile.....  It increases your face value.
>=20
>=20
>=20
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> =
http://ads.osdn.com/?ad_id=3D5047&alloc_id=3D10808&op=3Dclick<http://ads
.=
osdn.com/?ad_id=3D5047&alloc_id=3D10808&op=3Dclick>
> _______________________________________________
> Snort-users mailing list
> =
Snort-users at lists.sourceforge.net<mailto:Snort-users at ...973...
e=
t>
> Go to this URL to change user options or unsubscribe:
> =
https://lists.sourceforge.net/lists/listinfo/snort-users<https://lists.s
o=
urceforge.net/lists/listinfo/snort-users>
> Snort-users list archive:
> =
http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users<http://www.ge
o=
crawler.com/redir-sf.php3?list=3Dsnort-users>





-- __--__-- 

Message: 2
From: "pfeito" <pfeito at ...3422...<mailto:pfeito at ...3422...>>
To: "'Keith W. McCammon'" =
<mccammon at ...11827...<mailto:mccammon at ...11827...>>,
<snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...
n=
et>>,
<hackerwacker at ...3784...<mailto:hackerwacker at ...3784...>>
Subject: RE: [Snort-users] Slow down TCP connections
Date: Sun, 29 Aug 2004 20:13:54 +0100

I don't really have a final purpose, I'm just digging out what proactive
stuff there is out there for Snort.=20
I don't need it, I just thought of it, as an example of proactive
functionality and wanted to find out if there is such thing. I guess it
=
is
kind of stupid.... although it could be useful in an snort+honeypot
scenario. Don't really put much though in it.

> Why are you seeking and IDS to do traffic queueing ?
No. That would be like trying to cut a steak with a spoon :P !

> -----Original Message-----
> From: =
snort-users-admin at lists.sourceforge.net<mailto:snort-users-admin at ...1844...
o=
urceforge.net> [mailto:snort-users-
> admin at lists.sourceforge.net<mailto:admin at lists.sourceforge.net>] On =
Behalf Of Keith W. McCammon
> Sent: domingo, 29 de Agosto de 2004 18:14
> To: =
snort-users at lists.sourceforge.net<mailto:snort-users at ...973...
e=
t>
> Subject: Re: [Snort-users] Slow down TCP connections
>=20
> > Right know, I've just compiled and installed snort 2.2.0 with =
flexresp2
> > support. I'm about to test flexresp2 capabilities, but It seems to =
have
> no
> > support for slowing down TCP connections (i.e. for slowing down TCP
> Scans
> > for instance...)
>=20
> Why would Snort want to "slow down" a TCP scan?  Snort will catch it,
> and under certain circumstances, flexresp2 can reset those
> connections.  That's pretty much the extent of Snort's involvement.
>=20
> > Do you know any plug-in that allows Snort to slow down TCP =
connections
> speed
> > (i.e. resize TCP window size) ?
>=20
> No.  What would you accomplish by doing this?  Either block the
> traffic or don't.  Slowing it down won't really get you anywhere
> (it'll just take the attacker longer to do the same thing).
>=20
>=20
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> =
http://ads.osdn.com/?ad_id=3D5047&alloc_id=3D10808&op=3Dclick<http://ads
.=
osdn.com/?ad_id=3D5047&alloc_id=3D10808&op=3Dclick>
> _______________________________________________
> Snort-users mailing list
> =
Snort-users at lists.sourceforge.net<mailto:Snort-users at ...973...
e=
t>
> Go to this URL to change user options or unsubscribe:
> =
https://lists.sourceforge.net/lists/listinfo/snort-users<https://lists.s
o=
urceforge.net/lists/listinfo/snort-users>
> Snort-users list archive:
> =
http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users<http://www.ge
o=
crawler.com/redir-sf.php3?list=3Dsnort-users>




-- __--__-- 

Message: 3
From: "Jim Hendrick" =
<jrhendri at ...9784...<mailto:jrhendri at ...9784...>>
To: "'pfeito'" <pfeito at ...3422...<mailto:pfeito at ...3422...>>, =
<snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...
n=
et>>
Subject: RE: [Snort-users] Slow down TCP connections
Date: Sun, 29 Aug 2004 16:22:28 -0400

If you are looking to slow down scans, try a tarpit (e.g. labrea)
flexrsp is really designed to reset TCP connections to halt an attack.

-----Original Message-----
From: =
snort-users-admin at lists.sourceforge.net<mailto:snort-users-admin at ...1844...
o=
urceforge.net>
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of pfeito
Sent: Sunday, August 29, 2004 12:57 PM
To: =
snort-users at lists.sourceforge.net<mailto:snort-users at ...973...
e=
t>
Subject: [Snort-users] Slow down TCP connections


Hi Guys,

I'm searching for pro-active plug-ins for Snort.=3D20

Right know, I've just compiled and installed snort 2.2.0 with flexresp2
support. I'm about to test flexresp2 capabilities, but It seems to have
=
=3D
no
support for slowing down TCP connections (i.e. for slowing down TCP =3D
Scans
for instance...)

Do you know any plug-in that allows Snort to slow down TCP connections =
=3D
speed
(i.e. resize TCP window size) ?

Thanks,
-pfeito




-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=3D3D5047&alloc_id=3D3D10808&op=3D3Dclick<http
:=
//ads.osdn.com/?ad_id=3D3D5047&alloc_id=3D3D10808&op=3D3Dclick>
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at ...973...
e=
t>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users<https://lists.s
o=
urceforge.net/lists/listinfo/snort-users>
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3D3Dsnort-users<http://www.
g=
eocrawler.com/redir-sf.php3?list=3D3Dsnort-users>




-- __--__-- 

Message: 4
From: "pfeito" <pfeito at ...3422...<mailto:pfeito at ...3422...>>
To: "'Jim Hendrick'" =
<jrhendri at ...9784...<mailto:jrhendri at ...9784...>>,
<snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...
n=
et>>
Subject: RE: [Snort-users] Slow down TCP connections
Date: Sun, 29 Aug 2004 21:36:32 +0100

That's a cool thing to play around. But right now I'm only studying =
plugins
or modules for Snort. The slow down functionality was only one I example
=
I
thought, but it seems not to make sense in a IDS. I'm concentrating =
right
now in developing one or two demos with flexresp.
Thanks,
-pfeito


> -----Original Message-----
> From: Jim Hendrick [mailto:jrhendri at ...9784...]
> Sent: domingo, 29 de Agosto de 2004 21:22
> To: 'pfeito'; =
snort-users at lists.sourceforge.net<mailto:snort-users at ...973...
e=
t>
> Subject: RE: [Snort-users] Slow down TCP connections
>=20
> If you are looking to slow down scans, try a tarpit (e.g. labrea)
> flexrsp is really designed to reset TCP connections to halt an attack.
>=20
> -----Original Message-----
> From: =
snort-users-admin at lists.sourceforge.net<mailto:snort-users-admin at ...1844...
o=
urceforge.net>
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of pfeito
> Sent: Sunday, August 29, 2004 12:57 PM
> To: =
snort-users at lists.sourceforge.net<mailto:snort-users at ...973...
e=
t>
> Subject: [Snort-users] Slow down TCP connections
>=20
>=20
> Hi Guys,
>=20
> I'm searching for pro-active plug-ins for Snort.
>=20
> Right know, I've just compiled and installed snort 2.2.0 with =
flexresp2
> support. I'm about to test flexresp2 capabilities, but It seems to =
have no
> support for slowing down TCP connections (i.e. for slowing down TCP =
Scans
> for instance...)
>=20
> Do you know any plug-in that allows Snort to slow down TCP connections
> speed
> (i.e. resize TCP window size) ?
>=20
> Thanks,
> -pfeito
>=20
>=20
>=20
>=20
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> =
http://ads.osdn.com/?ad_id=3D5047&alloc_id=3D10808&op=3Dclick<http://ads
.=
osdn.com/?ad_id=3D5047&alloc_id=3D10808&op=3Dclick>
> _______________________________________________
> Snort-users mailing list
> =
Snort-users at lists.sourceforge.net<mailto:Snort-users at ...973...
e=
t>
> Go to this URL to change user options or unsubscribe:
> =
https://lists.sourceforge.net/lists/listinfo/snort-users<https://lists.s
o=
urceforge.net/lists/listinfo/snort-users>
> Snort-users list archive:
> =
http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users<http://www.ge
o=
crawler.com/redir-sf.php3?list=3Dsnort-users>
>=20





-- __--__-- 

Message: 5
From: "Patrick S. Harper" =
<patrick at ...4250...<mailto:patrick at ...12357...
m=
>>
To: "'Miikka Hattberg'" <miikka at ...12348...<mailto:miikka at ...12348...>>,
   =
<snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...
n=
et>>
Subject: RE: [Snort-users] Snort and MySQL
Date: Sun, 29 Aug 2004 16:03:54 -0500

Not if you have your conf file set up right.  The output database line =
has
that info. =20



Patrick S. Harper | CISSP RHCT MCSE
www.internetsecurityguru.com<http://www.internetsecurityguru.com/>

www.ntsug.org<http://www.ntsug.org/> - Snort Users Group

"If there is no light at the end of the tunnel, get down there and light
=
the
damn thing yourself!"
=20
-----Original Message-----
From: =
snort-users-admin at lists.sourceforge.net<mailto:snort-users-admin at ...1844...
o=
urceforge.net>
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Miikka
Hattberg
Sent: Sunday, August 29, 2004 1:49 PM
To: =
snort-users at lists.sourceforge.net<mailto:snort-users at ...973...
e=
t>
Subject: Re: [Snort-users] Snort and MySQL


I might be totally off, but shouldn't you specify the MySQL username in
=
the
command whe you start snort.
like ' snort -u snort -c /etc/snort/snort.conf '

m.

Robert Spangler wrote:

>Hello,
>
>I seem to be having a problem setting up snort to use MySQL database.
>
>When I run 'snort -c /etc/snort/snort.conf'  I get the following:
>
>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3
D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D
>Running in IDS mode
>Log directory =3D /var/log/snort
>
>Initializing Network Interface eth0
>
>        --=3D=3D Initializing Snort =3D=3D--
>Initializing Output Plugins!
>Decoding Ethernet on interface eth0
>Initializing Preprocessors!
>Initializing Plug-ins!
>Parsing Rules file /etc/snort/snort.conf
>
>+++++++++++++++++++++++++++++++++++++++++++++++++++
>Initializing rule chains...
>database: compiled support for ( MySQL )
>database: configured to use MySQL
>database:          user =3D snort
>database: database name =3D snort
>database:          host =3D localhost
>database:   sensor name =3D 192.168.1.100
>ERROR: database: MySQL_error: Access denied for user: =
'snort at ...274...'<mailto:'snort at ...274...'>=20
>(Using
>password: NO)
>Fatal Error, Quitting..
>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3
D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D
>
>
>snort.conf has the following entry:
>
>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3
D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D
>output database: log, MySQL, user=3Dsnort, password=3D******** =
dbname=3Dsnort=20
>host=3Dlocalhost =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D
>
>
>MySQL was setup using this line for snort:
>
>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3
D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D
>grant INSERT,SELECT on root.* to =
snort at ...274...<mailto:snort at ...274...>; SET PASSWORD FOR=20
>snort at ...274...=3DPASSOWRD('********');
>grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to =
snort at ...274...<mailto:snort at ...274...>;=20
>grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;=20
>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3
D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D
>
>This was a step by step guide I had followed to set this up.  I'm=20
>hoping someone might be able to see what I'm missing.  Thnx
>
> =20
>



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java =
Enterprise
J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=3D5047&alloc_id=3D10808&op=3Dclick<http://ads
.=
osdn.com/?ad_id=3D5047&alloc_id=3D10808&op=3Dclick>
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at ...973...
e=
t>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users<https://lists.s
o=
urceforge.net/lists/listinfo/snort-users>
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users<http://www.ge
o=
crawler.com/redir-sf.php3?list=3Dsnort-users>



-- __--__-- 

Message: 6
From: "Patrick S. Harper" =
<patrick at ...4250...<mailto:patrick at ...12357...
m=
>>
To: "'Michael Steele'" =
<michaels at ...9077...<mailto:michaels at ...9077...>>,
   =
<snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...
n=
et>>,
   "'Robert Spangler'" =
<bms at ...4832...<mailto:bms at ...4832...>>
Subject: RE: [Snort-users] Snort and MySQL
Date: Sun, 29 Aug 2004 16:09:55 -0500

=20
It looks like for some reason he did not give it a password in the conf
file.  The "using password: NO" is the tip off I believe.  As well as =
the
other output, it should look like the following.  Notice the "Database:
password is set".  He does not get that, but the other error at the end
about using no password.. =20

What does your output line in your conf file look like?


database: compiled support for ( mysql )
database: configured to use mysql
database:          user =3D snort
database: password is set
database: database name =3D snort
database:          host =3D localhost
database:   sensor name =3D 208.14.28.12
database:     sensor id =3D 2
database: inconsistent cid information for sid=3D2
          Recovering by rolling forward the cid=3D35585



Patrick S. Harper | CISSP RHCT MCSE
www.internetsecurityguru.com<http://www.internetsecurityguru.com/>

www.ntsug.org<http://www.ntsug.org/> - Snort Users Group

"If there is no light at the end of the tunnel, get down there and light
=
the
damn thing yourself!"
=20
-----Original Message-----
From: =
snort-users-admin at lists.sourceforge.net<mailto:snort-users-admin at ...1844...
o=
urceforge.net>
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Michael =
Steele
Sent: Sunday, August 29, 2004 1:52 PM
To: =
snort-users at lists.sourceforge.net<mailto:snort-users at ...973...
e=
t>
Subject: RE: [Snort-users] Snort and MySQL

Looks like you have no access to the Snort database. Go back and make =
SURE
you can access the database with the credentials that you have in the
snort.conf file on the MySQL output database line.

Kindest regards,
Michael...

WINSNORT.com Management Team Member
--=20
Pick up your FREE Windows or UNIX Snort installation guides      =20
mailto:support at ...9077...<mailto:support at ...9077...>
Website: http://www.winsnort.com<http://www.winsnort.com/>
Snort: Open Source Network IDS - =
http://www.snort.org<http://www.snort.org/>


> -----Original Message-----
> From: =
snort-users-admin at lists.sourceforge.net<mailto:snort-users-admin at ...1844...
o=
urceforge.net> [mailto:snort-users-=20
> admin at lists.sourceforge.net<mailto:admin at lists.sourceforge.net>] On =
Behalf Of Robert Spangler
> Sent: Sunday, August 29, 2004 10:35 AM
> To: =
snort-users at lists.sourceforge.net<mailto:snort-users at ...973...
e=
t>
> Subject: [Snort-users] Snort and MySQL
>=20
> Hello,
>=20
> I seem to be having a problem setting up snort to use MySQL database.
>=20
> When I run 'snort -c /etc/snort/snort.conf'  I get the following:
>=20
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D
> Running in IDS mode
> Log directory =3D /var/log/snort
>=20
> Initializing Network Interface eth0
>=20
>         --=3D=3D Initializing Snort =3D=3D--
> Initializing Output Plugins!
> Decoding Ethernet on interface eth0
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file /etc/snort/snort.conf
>=20
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> database: compiled support for ( MySQL )
> database: configured to use MySQL
> database:          user =3D snort
> database: database name =3D snort
> database:          host =3D localhost
> database:   sensor name =3D 192.168.1.100
> ERROR: database: MySQL_error: Access denied for user: =
'snort at ...274...'<mailto:'snort at ...274...'>
> (Using
> password: NO)
> Fatal Error, Quitting..
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D
>=20
>=20
> snort.conf has the following entry:
>=20
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D
> output database: log, MySQL, user=3Dsnort, password=3D********=20
> dbname=3Dsnort host=3Dlocalhost=20
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D
>=20
>=20
> MySQL was setup using this line for snort:
>=20
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D
> grant INSERT,SELECT on root.* to =
snort at ...274...<mailto:snort at ...274...>; SET PASSWORD FOR=20
> =
snort at ...274...=3DPASSOWRD('********'<mailto:snort at ...274...=3DPASSOWRD(
'=
********'>);
> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to=20
> snort at ...274...<mailto:snort at ...274...>; grant =
CREATE,INSERT,SELECT,DELETE,UPDATE on snort.*=20
> to snort; =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D
>=20
> This was a step by step guide I had followed to set this up.  I'm=20
> hoping someone might be able to see what I'm missing.  Thnx
>=20
> --
>=20
> Regards
> Robert
>=20
> Smile.....  It increases your face value.
>=20
>=20
>=20
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java=20
> Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> =
http://ads.osdn.com/?ad_id=3D5047&alloc_id=3D10808&op=3Dclick<http://ads
.=
osdn.com/?ad_id=3D5047&alloc_id=3D10808&op=3Dclick>
> _______________________________________________
> Snort-users mailing list
> =
Snort-users at lists.sourceforge.net<mailto:Snort-users at ...973...
e=
t>
> Go to this URL to change user options or unsubscribe:
> =
https://lists.sourceforge.net/lists/listinfo/snort-users<https://lists.s
o=
urceforge.net/lists/listinfo/snort-users>
> Snort-users list archive:
> =
http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users<http://www.ge
o=
crawler.com/redir-sf.php3?list=3Dsnort-users>





-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java =
Enterprise
J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=3D5047&alloc_id=3D10808&op=3Dclick<http://ads
.=
osdn.com/?ad_id=3D5047&alloc_id=3D10808&op=3Dclick>
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at ...973...
e=
t>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users<https://lists.s
o=
urceforge.net/lists/listinfo/snort-users>
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users<http://www.ge
o=
crawler.com/redir-sf.php3?list=3Dsnort-users>



-- __--__-- 

Message: 7
From: Juan Fernandez =
<Juan.Fernandez at ...2210...<mailto:Juan.Fernandez at ...2210...>>
To: =
"'snort-users at lists.sourceforge.net'<mailto:'snort-users at ...3471...
g=
e.net'>"
<snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...
n=
et>>
Date: Mon, 30 Aug 2004 02:02:19 +0300
Subject: [Snort-users] :  setup postfix please help !!!!!!!!!!1

This message is in MIME format. Since your mail reader does not =
understand
this format, some or all of this message may not be legible.

------_=3D_NextPart_001_01C48E1C.3533D7EB
Content-Type: text/plain;
charset=3D"iso-8859-1"

=20
=20


Hi guys,=20

=20

Can someone please send to me his/heres main.cf file so I can take it as
=
an
example to config my postfix on mt snort sesnsors?

=20

I cant configure it aloe I massed up my main.cf file..

=20

Please help...

=20

All I need to configure is that the sensors will pass the mails to my
internal exchange server to my mailbox...

=20

Please help !!!

=20

Thanks !!!


------_=3D_NextPart_001_01C48E1C.3533D7EB
Content-Type: text/html;
charset=3D"iso-8859-1"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML =
xmlns=3D"http://www.w3.org/TR/REC-html40<http://www.w3.org/TR/REC-html40
>=
" xmlns:o =3D=20
"urn:schemas-microsoft-com:office:office" xmlns:w =3D=20
"urn:schemas-microsoft-com:office:word"><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">


<META content=3D"MSHTML 6.00.2800.1458" name=3DGENERATOR>
<STYLE>@page Section1 {size: 595.3pt 841.9pt; margin: 1.0in 1.25in 1.0in
=
1.25in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; DIRECTION: rtl; FONT-FAMILY: =
"Times New Roman"; unicode-bidi: embed; TEXT-ALIGN: right
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; DIRECTION: rtl; FONT-FAMILY: =
"Times New Roman"; unicode-bidi: embed; TEXT-ALIGN: right
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; DIRECTION: rtl; FONT-FAMILY: =
"Times New Roman"; unicode-bidi: embed; TEXT-ALIGN: right
}
A:link {
COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.EmailStyle17 {
COLOR: windowtext; FONT-FAMILY: Arial; mso-style-type: personal-compose
}
DIV.Section1 {
page: Section1
}
</STYLE>
</HEAD>
<BODY lang=3DEN-US vLink=3Dpurple link=3Dblue>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2></FONT> </DIV>
<DIV>
<DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
size=3D2></FONT></DIV><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT></DIV>
<DIV>
<DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
size=3D2></FONT></DIV><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT></DIV>
<DIV> </DIV>
<P dir=3Dltr>
<DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
size=3D2></FONT></DIV><FONT face=3DArial size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">Hi =
guys,<o:p></o:p></SPAN></FONT>=20
<P></P>
<BLOCKQUOTE dir=3Drtl style=3D"MARGIN-LEFT: 0px">
  <DIV class=3DSection1 dir=3Drtl>
  <P class=3DMsoNormal dir=3Dltr=20
  style=3D"DIRECTION: ltr; unicode-bidi: embed; TEXT-ALIGN: left"><FONT
=
face=3DArial=20
  size=3D2><SPAN=20
  style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"><o:p> </o:p></SPAN></FONT></P>
  <P class=3DMsoNormal dir=3Dltr=20
  style=3D"DIRECTION: ltr; unicode-bidi: embed; TEXT-ALIGN: left"><FONT
=
face=3DArial=20
  size=3D2><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">Can =
someone please=20
  send to me his/heres main.cf file so I can take it as an example to =
config my=20
  postfix on mt snort sesnsors?<o:p></o:p></SPAN></FONT></P>
  <P class=3DMsoNormal dir=3Dltr=20
  style=3D"DIRECTION: ltr; unicode-bidi: embed; TEXT-ALIGN: left"><FONT
=
face=3DArial=20
  size=3D2><SPAN=20
  style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"><o:p> </o:p></SPAN></FONT></P>
  <P class=3DMsoNormal dir=3Dltr=20
  style=3D"DIRECTION: ltr; unicode-bidi: embed; TEXT-ALIGN: left"><FONT
=
face=3DArial=20
  size=3D2><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">I cant =
configure it=20
  aloe I massed up my main.cf file..<o:p></o:p></SPAN></FONT></P>
  <P class=3DMsoNormal dir=3Dltr=20
  style=3D"DIRECTION: ltr; unicode-bidi: embed; TEXT-ALIGN: left"><FONT
=
face=3DArial=20
  size=3D2><SPAN=20
  style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"><o:p> </o:p></SPAN></FONT></P>
  <P class=3DMsoNormal dir=3Dltr=20
  style=3D"DIRECTION: ltr; unicode-bidi: embed; TEXT-ALIGN: left"><FONT
=
face=3DArial=20
  size=3D2><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">Please=20
  help...<o:p></o:p></SPAN></FONT></P>
  <P class=3DMsoNormal dir=3Dltr=20
  style=3D"DIRECTION: ltr; unicode-bidi: embed; TEXT-ALIGN: left"><FONT
=
face=3DArial=20
  size=3D2><SPAN=20
  style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"><o:p> </o:p></SPAN></FONT></P>
  <P class=3DMsoNormal dir=3Dltr=20
  style=3D"DIRECTION: ltr; unicode-bidi: embed; TEXT-ALIGN: left"><FONT
=
face=3DArial=20
  size=3D2><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">All I =
need to=20
  configure is that the sensors will pass the mails to my internal =
exchange=20
  server to my mailbox...<o:p></o:p></SPAN></FONT></P>
  <P class=3DMsoNormal dir=3Dltr=20
  style=3D"DIRECTION: ltr; unicode-bidi: embed; TEXT-ALIGN: left"><FONT
=
face=3DArial=20
  size=3D2><SPAN=20
  style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"><o:p> </o:p></SPAN></FONT></P>
  <P class=3DMsoNormal dir=3Dltr=20
  style=3D"DIRECTION: ltr; unicode-bidi: embed; TEXT-ALIGN: left"><FONT
=
face=3DArial=20
  size=3D2><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">Please =
help=20
  !!!<o:p></o:p></SPAN></FONT></P>
  <P class=3DMsoNormal dir=3Dltr=20
  style=3D"DIRECTION: ltr; unicode-bidi: embed; TEXT-ALIGN: left"><FONT
=
face=3DArial=20
  size=3D2><SPAN=20
  style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"><o:p> </o:p></SPAN></FONT></P>
  <P class=3DMsoNormal dir=3Dltr=20
  style=3D"DIRECTION: ltr; unicode-bidi: embed; TEXT-ALIGN: left"><FONT
=
face=3DArial=20
  size=3D2><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">Thanks=20
  !!!<o:p></o:p></SPAN></FONT></P></DIV></BLOCKQUOTE></BODY></HTML>

------_=3D_NextPart_001_01C48E1C.3533D7EB--


-- __--__-- 

Message: 8
From: "Andy" <andy at ...12349...<mailto:andy at ...12349...>>
To: =
<snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...
n=
et>>
Date: Sun, 29 Aug 2004 18:22:48 -0500
Subject: [Snort-users] glibc dependency errors installing snort

Hi,
I'm having problems installing snort, I'm getting glibc dependency =
errors.
I running RedHat 7.3, trying to install snort-2.1.3-1.i386.rpm

I can't find a newer version of glibc other than 2.2.5 and really don't
=
know
what I'm doing anyway.

Am I having these problems because I'm running RH 7.3? Does snort =
2.1.3-1
run on RH 7.3?

Should I be installing a different package?

[root at ...12350... snort]# rpm -ivh [root at ...12350... snort]# rpm -ivh
snort-2.1.3-1.i386.rpm
error: failed dependencies:
        libc.so.6(GLIBC_2.3)   is needed by snort-2.1.3-1

totally new to this, hope you can help.

Thanks,
Andy




-- __--__-- 

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at ...973...
e=
t>
https://lists.sourceforge.net/lists/listinfo/snort-users<https://lists.s
o=
urceforge.net/lists/listinfo/snort-users>


End of Snort-users Digest


------=_NextPart_000_0030_01C48E0D.6A360260
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type =
content=3Dtext/html;charset=3Diso-8859-1>
<STYLE></STYLE>

<META content=3D"MSHTML 6.00.2800.1458" name=3DGENERATOR></HEAD>
<BODY id=3DMailContainerBody=20
style=3D"PADDING-LEFT: 10px; FONT-WEIGHT: normal; FONT-SIZE: 10pt; =
COLOR: #000000; BORDER-TOP-STYLE: none; PADDING-TOP: 15px; FONT-STYLE: =
normal; FONT-FAMILY: Verdana; BORDER-RIGHT-STYLE: none; =
BORDER-LEFT-STYLE: none; TEXT-DECORATION: none; BORDER-BOTTOM-STYLE: =
none"=20
leftMargin=3D0 topMargin=3D0 acc_role=3D"text" CanvasTabStop=3D"true"=20
name=3D"Compose message area"><!--[gte IE 5]><?xml:namespace =
prefix=3D"v" /><?xml:namespace prefix=3D"o" /><![endif]-->
<DIV>
<DIV>Try this:</DIV>
<DIV> </DIV>
<DIV>mysql> Grant All On snort.* to  <A=20
title=3Dmailto:snort at ...274...=20
href=3D"mailto:snort at ...274...">snort at ...274...</A>;</DIV>
<DIV> </DIV>
<DIV>or (if you have a password for snort user) </DIV>
<DIV> </DIV>
<DIV>mysql> Grant All On snort.* to <A title=3Dmailto:snort at ...274...
=

href=3D"mailto:snort at ...274...">snort at ...274...</A> Identified By=20
'password';</DIV>
<DIV> </DIV>
<DIV>[****If you have a password for snort user, you must use Identified
=
By=20
clause]</DIV>
<DIV><BR>Message: 1<BR>From: "Michael Steele" <<A=20
title=3Dmailto:michaels at ...9077...=20
href=3D"mailto:michaels at ...9077...">michaels at ...9077...</A>><BR>T
o=
: <<A=20
title=3Dmailto:snort-users at lists.sourceforge.net=20
href=3D"mailto:snort-users at lists.sourceforge.net">snort-users at ...4626...
c=
eforge.net</A>><BR>Subject:=20
RE: [Snort-users] Snort and MySQL<BR>Date: Sun, 29 Aug 2004 11:52:02=20
-0700<BR><BR>Looks like you have no access to the Snort database. Go =
back and=20
make SURE<BR>you can access the database with the credentials that you =
have in=20
the<BR>snort.conf file on the MySQL output database line.<BR><BR>Kindest
=

regards, <BR>Michael...<BR><BR>WINSNORT.com Management Team Member<BR>--
=

<BR>Pick up your FREE Windows or UNIX Snort installation=20
guides       <BR><A=20
title=3Dmailto:support at ...9077...=20
href=3D"mailto:support at ...9077...">mailto:support at ...9077...</A><BR>
W=
ebsite:=20
<A title=3Dhttp://www.winsnort.com/=20
href=3D"http://www.winsnort.com">http://www.winsnort.com</A><BR>Snort: =
Open Source=20
Network IDS - <A title=3Dhttp://www.snort.org/=20
href=3D"http://www.snort.org">http://www.snort.org</A><BR><BR><BR>>=2
0
-----Original Message-----<BR>> From: <A=20
title=3Dmailto:snort-users-admin at lists.sourceforge.net=20
href=3D"mailto:snort-users-admin at lists.sourceforge.net">snort-users-admi
n=
@lists.sourceforge.net</A>=20
[mailto:snort-users-<BR>> <A =
title=3Dmailto:admin at lists.sourceforge.net=20
href=3D"mailto:admin at lists.sourceforge.net">admin at lists.sourceforge.net<
/=
A>] On=20
Behalf Of Robert Spangler<BR>> Sent: Sunday, August 29, 2004 10:35 =
AM<BR>>=20
To: <A title=3Dmailto:snort-users at lists.sourceforge.net=20
href=3D"mailto:snort-users at lists.sourceforge.net">snort-users at ...4626...
c=
eforge.net</A><BR>>=20
Subject: [Snort-users] Snort and MySQL<BR>> <BR>> Hello,<BR>> =
<BR>>=20
I seem to be having a problem setting up snort to use MySQL =
database.<BR>>=20
<BR>> When I run 'snort -c /etc/snort/snort.conf'  I get the=20
following:<BR>> <BR>>=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D<BR>> Running in IDS=20
mode<BR>> Log directory =3D /var/log/snort<BR>> <BR>> =
Initializing=20
Network Interface eth0<BR>>=20
<BR>>         --=3D=3D =
Initializing Snort=20
=3D=3D--<BR>> Initializing Output Plugins!<BR>> Decoding Ethernet
=
on interface=20
eth0<BR>> Initializing Preprocessors!<BR>> Initializing =
Plug-ins!<BR>>=20
Parsing Rules file /etc/snort/snort.conf<BR>> <BR>>=20
+++++++++++++++++++++++++++++++++++++++++++++++++++<BR>> Initializing
=
rule=20
chains...<BR>> database: compiled support for ( MySQL )<BR>> =
database:=20
configured to use MySQL<BR>>=20
database:          user =3D
=

snort<BR>> database: database name =3D snort<BR>>=20
database:          host =3D
=

localhost<BR>> database:   sensor name =3D =
192.168.1.100<BR>>=20
ERROR: database: MySQL_error: Access denied for user: <A=20
title=3D"mailto:'snort at ...274...'"=20
href=3D"mailto:'snort at ...274...'">'snort at ...274...'</A><BR>> =
(Using<BR>>=20
password: NO)<BR>> Fatal Error, Quitting..<BR>>=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D<BR>> <BR>> <BR>>=20
snort.conf has the following entry:<BR>> <BR>>=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D<BR>> output database:=20
log, MySQL, user=3Dsnort, password=3D******** dbname=3Dsnort<BR>>=20
host=3Dlocalhost<BR>>=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D<BR>> <BR>> <BR>>=20
MySQL was setup using this line for snort:<BR>> <BR>>=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D<BR>> grant INSERT,SELECT=20
on root.* to <A title=3Dmailto:snort at ...274...=20
href=3D"mailto:snort at ...274...">snort at ...274...</A>;<BR>> SET =
PASSWORD FOR <A=20
title=3D"mailto:snort at ...274...=3DPASSOWRD('********'"=20
href=3D"mailto:snort at ...274...=3DPASSOWRD('********'">snort at ...274...=3D
P=
ASSOWRD('********'</A>);<BR>>=20
grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to <A=20
title=3Dmailto:snort at ...274...=20
href=3D"mailto:snort at ...274...">snort at ...274...</A>;<BR>> grant=20
CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;<BR>>=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D<BR>> <BR>> This was a=20
step by step guide I had followed to set this up.  I'm =
hoping<BR>>=20
someone might be able to see what I'm missing.  Thnx<BR>> =
<BR>>=20
--<BR>> <BR>> Regards<BR>> Robert<BR>> <BR>> =
Smile.....  It=20
increases your face value.<BR>> <BR>> <BR>> <BR>>=20
-------------------------------------------------------<BR>> This =
SF.Net=20
email is sponsored by BEA Weblogic Workshop<BR>> FREE Java Enterprise
=
J2EE=20
developer tools!<BR>> Get your free copy of BEA WebLogic Workshop 8.1
=

today.<BR>> <A=20
title=3Dhttp://ads.osdn.com/?ad_id=3D5047&alloc_id=3D10808&op=3D
c=
lick=20
href=3D"http://ads.osdn.com/?ad_id=3D5047&alloc_id=3D10808&op=3D
c=
lick">http://ads.osdn.com/?ad_id=3D5047&alloc_id=3D10808&op=3Dcl
i=
ck</A><BR>>=20
_______________________________________________<BR>> Snort-users =
mailing=20
list<BR>> <A title=3Dmailto:Snort-users at lists.sourceforge.net=20
href=3D"mailto:Snort-users at lists.sourceforge.net">Snort-users at ...4626...
c=
eforge.net</A><BR>>=20
Go to this URL to change user options or unsubscribe:<BR>> <A=20
title=3Dhttps://lists.sourceforge.net/lists/listinfo/snort-users=20
href=3D"https://lists.sourceforge.net/lists/listinfo/snort-users">https:
/=
/lists.sourceforge.net/lists/listinfo/snort-users</A><BR>>=20
Snort-users list archive:<BR>> <A=20
title=3Dhttp://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users=20
href=3D"http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users">http
:=
//www.geocrawler.com/redir-sf.php3?list=3Dsnort-users</A><BR><BR><BR><BR
>=
<BR><BR>-- __--__-- <BR><BR>Message:=20
2<BR>From: "pfeito" <<A title=3Dmailto:pfeito at ...3422...=20
href=3D"mailto:pfeito at ...3422...">pfeito at ...3422...</A>><BR>To: =
"'Keith W.=20
McCammon'" <<A title=3Dmailto:mccammon at ...11827...=20
href=3D"mailto:mccammon at ...11827...">mccammon at ...11827...</A>>,<BR><<A
=

title=3Dmailto:snort-users at lists.sourceforge.net=20
href=3D"mailto:snort-users at lists.sourceforge.net">snort-users at ...4626...
c=
eforge.net</A>>,<BR><<A=20
title=3Dmailto:hackerwacker at ...3784...=20
href=3D"mailto:hackerwacker at ...3784...">hackerwacker at ...3784...</A
>=
><BR>Subject:=20
RE: [Snort-users] Slow down TCP connections<BR>Date: Sun, 29 Aug 2004 =
20:13:54=20
+0100<BR><BR>I don't really have a final purpose, I'm just digging out =
what=20
proactive<BR>stuff there is out there for Snort. <BR>I don't need it, I
=
just=20
thought of it, as an example of proactive<BR>functionality and wanted to
=
find=20
out if there is such thing. I guess it is<BR>kind of stupid.... although
=
it=20
could be useful in an snort+honeypot<BR>scenario. Don't really put much
=
though=20
in it.<BR><BR>> Why are you seeking and IDS to do traffic queueing =
?<BR>No.=20
That would be like trying to cut a steak with a spoon :P
!<BR><BR>>=20
-----Original Message-----<BR>> From: <A=20
title=3Dmailto:snort-users-admin at lists.sourceforge.net=20
href=3D"mailto:snort-users-admin at lists.sourceforge.net">snort-users-admi
n=
@lists.sourceforge.net</A>=20
[mailto:snort-users-<BR>> <A =
title=3Dmailto:admin at lists.sourceforge.net=20
href=3D"mailto:admin at lists.sourceforge.net">admin at lists.sourceforge.net<
/=
A>] On=20
Behalf Of Keith W. McCammon<BR>> Sent: domingo, 29 de Agosto de
2004=20
18:14<BR>> To: <A title=3Dmailto:snort-users at lists.sourceforge.net=20
href=3D"mailto:snort-users at lists.sourceforge.net">snort-users at ...4626...
c=
eforge.net</A><BR>>=20
Subject: Re: [Snort-users] Slow down TCP connections<BR>> <BR>> =
> Right=20
know, I've just compiled and installed snort 2.2.0 with =
flexresp2<BR>> >=20
support. I'm about to test flexresp2 capabilities, but It seems to =
have<BR>>=20
no<BR>> > support for slowing down TCP connections (i.e. for =
slowing down=20
TCP<BR>> Scans<BR>> > for instance...)<BR>> <BR>> Why =
would Snort=20
want to "slow down" a TCP scan?  Snort will catch it,<BR>> and =
under=20
certain circumstances, flexresp2 can reset those<BR>> =
connections. =20
That's pretty much the extent of Snort's involvement.<BR>> <BR>> =
> Do=20
you know any plug-in that allows Snort to slow down TCP =
connections<BR>>=20
speed<BR>> > (i.e. resize TCP window size) ?<BR>> <BR>> =
No. =20
What would you accomplish by doing this?  Either block the<BR>>
=
traffic=20
or don't.  Slowing it down won't really get you anywhere<BR>> =
(it'll=20
just take the attacker longer to do the same thing).<BR>> <BR>> =
<BR>>=20
-------------------------------------------------------<BR>> This =
SF.Net=20
email is sponsored by BEA Weblogic Workshop<BR>> FREE Java Enterprise
=
J2EE=20
developer tools!<BR>> Get your free copy of BEA WebLogic Workshop 8.1
=

today.<BR>> <A=20
title=3Dhttp://ads.osdn.com/?ad_id=3D5047&alloc_id=3D10808&op=3D
c=
lick=20
href=3D"http://ads.osdn.com/?ad_id=3D5047&alloc_id=3D10808&op=3D
c=
lick">http://ads.osdn.com/?ad_id=3D5047&alloc_id=3D10808&op=3Dcl
i=
ck</A><BR>>=20
_______________________________________________<BR>> Snort-users =
mailing=20
list<BR>> <A title=3Dmailto:Snort-users at lists.sourceforge.net=20
href=3D"mailto:Snort-users at lists.sourceforge.net">Snort-users at ...4626...
c=
eforge.net</A><BR>>=20
Go to this URL to change user options or unsubscribe:<BR>> <A=20
title=3Dhttps://lists.sourceforge.net/lists/listinfo/snort-users=20
href=3D"https://lists.sourceforge.net/lists/listinfo/snort-users">https:
/=
/lists.sourceforge.net/lists/listinfo/snort-users</A><BR>>=20
Snort-users list archive:<BR>> <A=20
title=3Dhttp://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users=20
href=3D"http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users">http
:=
//www.geocrawler.com/redir-sf.php3?list=3Dsnort-users</A><BR><BR><BR><BR
>=
<BR>-- __--__-- <BR><BR>Message:=20
3<BR>From: "Jim Hendrick" <<A title=3Dmailto:jrhendri at ...9784...=20
href=3D"mailto:jrhendri at ...9784...">jrhendri at ...9784...</A>><BR>T
o=
:=20
"'pfeito'" <<A title=3Dmailto:pfeito at ...3422...=20
href=3D"mailto:pfeito at ...3422...">pfeito at ...3422...</A>>, <<A=20
title=3Dmailto:snort-users at lists.sourceforge.net=20
href=3D"mailto:snort-users at lists.sourceforge.net">snort-users at ...4626...
c=
eforge.net</A>><BR>Subject:=20
RE: [Snort-users] Slow down TCP connections<BR>Date: Sun, 29 Aug 2004 =
16:22:28=20
-0400<BR><BR>If you are looking to slow down scans, try a tarpit
(e.g.=20
labrea)<BR>flexrsp is really designed to reset TCP connections to halt =
an=20
attack.<BR><BR>-----Original Message-----<BR>From: <A=20
title=3Dmailto:snort-users-admin at lists.sourceforge.net=20
href=3D"mailto:snort-users-admin at lists.sourceforge.net">snort-users-admi
n=
@lists.sourceforge.net</A><BR>[mailto:snort-users-admin at ...2652...
e=
.net]=20
On Behalf Of pfeito<BR>Sent: Sunday, August 29, 2004 12:57 PM<BR>To:
<A=20
title=3Dmailto:snort-users at lists.sourceforge.net=20
href=3D"mailto:snort-users at lists.sourceforge.net">snort-users at ...4626...
c=
eforge.net</A><BR>Subject:=20
[Snort-users] Slow down TCP connections<BR><BR><BR>Hi Guys,<BR><BR>I'm =
searching=20
for pro-active plug-ins for Snort.=3D20<BR><BR>Right know, I've just =
compiled and=20
installed snort 2.2.0 with flexresp2<BR>support. I'm about to test =
flexresp2=20
capabilities, but It seems to have =3D<BR>no<BR>support for slowing down
=
TCP=20
connections (i.e. for slowing down TCP =3D<BR>Scans<BR>for =
instance...)<BR><BR>Do=20
you know any plug-in that allows Snort to slow down TCP connections=20
=3D<BR>speed<BR>(i.e. resize TCP window size)=20
?<BR><BR>Thanks,<BR>-pfeito<BR><BR><BR><BR><BR>-------------------------
-=
-----------------------------<BR>This=20
SF.Net email is sponsored by BEA Weblogic Workshop<BR>FREE Java =
Enterprise J2EE=20
developer tools!<BR>Get your free copy of BEA WebLogic Workshop 8.1 =
today.<BR><A=20
title=3Dhttp://ads.osdn.com/?ad_id=3D3D5047&alloc_id=3D3D10808&o
p=
=3D3Dclick=20
href=3D"http://ads.osdn.com/?ad_id=3D3D5047&alloc_id=3D3D10808&o
p=
=3D3Dclick">http://ads.osdn.com/?ad_id=3D3D5047&alloc_id=3D3D10808&a
m=
p;op=3D3Dclick</A><BR>_______________________________________________<BR
>=
Snort-users=20
mailing list<BR><A title=3Dmailto:Snort-users at lists.sourceforge.net=20
href=3D"mailto:Snort-users at lists.sourceforge.net">Snort-users at ...4626...
c=
eforge.net</A><BR>Go=20
to this URL to change user options or unsubscribe:<BR><A=20
title=3Dhttps://lists.sourceforge.net/lists/listinfo/snort-users=20
href=3D"https://lists.sourceforge.net/lists/listinfo/snort-users">https:
/=
/lists.sourceforge.net/lists/listinfo/snort-users</A><BR>Snort-users=20
list archive:<BR><A=20
title=3Dhttp://www.geocrawler.com/redir-sf.php3?list=3D3Dsnort-users=20
href=3D"http://www.geocrawler.com/redir-sf.php3?list=3D3Dsnort-users">ht
t=
p://www.geocrawler.com/redir-sf.php3?list=3D3Dsnort-users</A><BR><BR><BR
>=
<BR><BR>-- __--__-- <BR><BR>Message:=20
4<BR>From: "pfeito" <<A title=3Dmailto:pfeito at ...3422...=20
href=3D"mailto:pfeito at ...3422...">pfeito at ...3422...</A>><BR>To: "'Jim
=

Hendrick'" <<A title=3Dmailto:jrhendri at ...9784...=20
href=3D"mailto:jrhendri at ...9784...">jrhendri at ...9784...</A>>,<BR>
&=
lt;<A=20
title=3Dmailto:snort-users at lists.sourceforge.net=20
href=3D"mailto:snort-users at lists.sourceforge.net">snort-users at ...4626...
c=
eforge.net</A>><BR>Subject:=20
RE: [Snort-users] Slow down TCP connections<BR>Date: Sun, 29 Aug 2004 =
21:36:32=20
+0100<BR><BR>That's a cool thing to play around. But right now I'm only
=
studying=20
plugins<BR>or modules for Snort. The slow down functionality was only =
one I=20
example I<BR>thought, but it seems not to make sense in a IDS. I'm =
concentrating=20
right<BR>now in developing one or two demos with=20
flexresp.<BR>Thanks,<BR>-pfeito<BR><BR><BR>> -----Original=20
Message-----<BR>> From: Jim Hendrick =
[mailto:jrhendri at ...9784...]<BR>>=20
Sent: domingo, 29 de Agosto de 2004 21:22<BR>> To: 'pfeito'; <A=20
title=3Dmailto:snort-users at lists.sourceforge.net=20
href=3D"mailto:snort-users at lists.sourceforge.net">snort-users at ...4626...
c=
eforge.net</A><BR>>=20
Subject: RE: [Snort-users] Slow down TCP connections<BR>> <BR>> If
=
you are=20
looking to slow down scans, try a tarpit (e.g. labrea)<BR>> flexrsp =
is really=20
designed to reset TCP connections to halt an attack.<BR>> <BR>>=20
-----Original Message-----<BR>> From: <A=20
title=3Dmailto:snort-users-admin at lists.sourceforge.net=20
href=3D"mailto:snort-users-admin at lists.sourceforge.net">snort-users-admi
n=
@lists.sourceforge.net</A><BR>>=20
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of =
pfeito<BR>>=20
Sent: Sunday, August 29, 2004 12:57 PM<BR>> To: <A=20
title=3Dmailto:snort-users at lists.sourceforge.net=20
href=3D"mailto:snort-users at lists.sourceforge.net">snort-users at ...4626...
c=
eforge.net</A><BR>>=20
Subject: [Snort-users] Slow down TCP connections<BR>> <BR>> =
<BR>> Hi=20
Guys,<BR>> <BR>> I'm searching for pro-active plug-ins for =
Snort.<BR>>=20
<BR>> Right know, I've just compiled and installed snort 2.2.0
with=20
flexresp2<BR>> support. I'm about to test flexresp2 capabilities, but
=
It=20
seems to have no<BR>> support for slowing down TCP connections (i.e.
=
for=20
slowing down TCP Scans<BR>> for instance...)<BR>> <BR>> Do you
=
know any=20
plug-in that allows Snort to slow down TCP connections<BR>> =
speed<BR>>=20
(i.e. resize TCP window size) ?<BR>> <BR>> Thanks,<BR>> =
-pfeito<BR>>=20
<BR>> <BR>> <BR>> <BR>>=20
-------------------------------------------------------<BR>> This =
SF.Net=20
email is sponsored by BEA Weblogic Workshop<BR>> FREE Java Enterprise
=
J2EE=20
developer tools!<BR>> Get your free copy of BEA WebLogic Workshop 8.1
=

today.<BR>> <A=20
title=3Dhttp://ads.osdn.com/?ad_id=3D5047&alloc_id=3D10808&op=3D
c=
lick=20
href=3D"http://ads.osdn.com/?ad_id=3D5047&alloc_id=3D10808&op=3D
c=
lick">http://ads.osdn.com/?ad_id=3D5047&alloc_id=3D10808&op=3Dcl
i=
ck</A><BR>>=20
_______________________________________________<BR>> Snort-users =
mailing=20
list<BR>> <A title=3Dmailto:Snort-users at lists.sourceforge.net=20
href=3D"mailto:Snort-users at lists.sourceforge.net">Snort-users at ...4626...
c=
eforge.net</A><BR>>=20
Go to this URL to change user options or unsubscribe:<BR>> <A=20
title=3Dhttps://lists.sourceforge.net/lists/listinfo/snort-users=20
href=3D"https://lists.sourceforge.net/lists/listinfo/snort-users">https:
/=
/lists.sourceforge.net/lists/listinfo/snort-users</A><BR>>=20
Snort-users list archive:<BR>> <A=20
title=3Dhttp://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users=20
href=3D"http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users">http
:=
//www.geocrawler.com/redir-sf.php3?list=3Dsnort-users</A><BR>>=20
<BR><BR><BR><BR><BR><BR>-- __--__-- <BR><BR>Message: 5<BR>From: "Patrick
=
S.=20
Harper" <<A title=3Dmailto:patrick at ...4250...=20
href=3D"mailto:patrick at ...4250...">patrick at ...12358...
y=
guru.com</A>><BR>To:=20
"'Miikka Hattberg'" <<A title=3Dmailto:miikka at ...12348...=20
href=3D"mailto:miikka at ...12348...">miikka at ...12348...</A>>,<BR> 
&=
nbsp;=20
<<A title=3Dmailto:snort-users at lists.sourceforge.net=20
href=3D"mailto:snort-users at lists.sourceforge.net">snort-users at ...4626...
c=
eforge.net</A>><BR>Subject:=20
RE: [Snort-users] Snort and MySQL<BR>Date: Sun, 29 Aug 2004 16:03:54=20
-0500<BR><BR>Not if you have your conf file set up right.  The =
output=20
database line has<BR>that info.  <BR><BR><BR><BR>Patrick S. Harper
=
| CISSP=20
RHCT MCSE<BR><A title=3Dhttp://www.internetsecurityguru.com/=20
href=3D"http://www.internetsecurityguru.com">www.internetsecurityguru.co
m=
</A><BR><BR><A=20
title=3Dhttp://www.ntsug.org/ =
href=3D"http://www.ntsug.org">www.ntsug.org</A> -=20
Snort Users Group<BR><BR>"If there is no light at the end of the tunnel,
=
get=20
down there and light the<BR>damn thing =
yourself!"<BR> <BR>-----Original=20
Message-----<BR>From: <A =
title=3Dmailto:snort-users-admin at lists.sourceforge.net=20
href=3D"mailto:snort-users-admin at lists.sourceforge.net">snort-users-admi
n=
@lists.sourceforge.net</A><BR>[mailto:snort-users-admin at ...2652...
e=
.net]=20
On Behalf Of Miikka<BR>Hattberg<BR>Sent: Sunday, August 29, 2004 1:49 =
PM<BR>To:=20
<A title=3Dmailto:snort-users at lists.sourceforge.net=20
href=3D"mailto:snort-users at lists.sourceforge.net">snort-users at ...4626...
c=
eforge.net</A><BR>Subject:=20
Re: [Snort-users] Snort and MySQL<BR><BR><BR>I might be totally off, but
=

shouldn't you specify the MySQL username in the<BR>command whe you start
=

snort.<BR>like ' snort -u snort -c /etc/snort/snort.conf=20
'<BR><BR>m.<BR><BR>Robert Spangler =
wrote:<BR><BR>>Hello,<BR>><BR>>I=20
seem to be having a problem setting up snort to use MySQL=20
database.<BR>><BR>>When I run 'snort -c =
/etc/snort/snort.conf'  I get=20
the=20
following:<BR>><BR>>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<BR>>Running=20
in IDS mode<BR>>Log directory =3D =
/var/log/snort<BR>><BR>>Initializing=20
Network Interface =
eth0<BR>><BR>>       =20
--=3D=3D Initializing Snort =3D=3D--<BR>>Initializing Output =
Plugins!<BR>>Decoding=20
Ethernet on interface eth0<BR>>Initializing=20
Preprocessors!<BR>>Initializing Plug-ins!<BR>>Parsing Rules
file=20
/etc/snort/snort.conf<BR>><BR>>+++++++++++++++++++++++++++++++++++
+=
+++++++++++++++<BR>>Initializing=20
rule chains...<BR>>database: compiled support for ( MySQL =
)<BR>>database:=20
configured to use=20
MySQL<BR>>database:        &n
b=
sp;=20
user =3D snort<BR>>database: database name =3D=20
snort<BR>>database:        &n
b=
sp;=20
host =3D localhost<BR>>database:   sensor name =3D=20
192.168.1.100<BR>>ERROR: database: MySQL_error: Access denied for =
user: <A=20
title=3D"mailto:'snort at ...274...'"=20
href=3D"mailto:'snort at ...274...'">'snort at ...274...'</A>=20
<BR>>(Using<BR>>password: NO)<BR>>Fatal Error,=20
Quitting..<BR>>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D=3D=3D=3D=3D=3D<BR>><BR>><BR>>snort.conf=20
has the following=20
entry:<BR>><BR>>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3
D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D<BR>>output=20
database: log, MySQL, user=3Dsnort, password=3D********
dbname=3Dsnort=20
<BR>>host=3Dlocalhost=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D<BR>><BR>><BR>>MySQL=20
was setup using this line for=20
snort:<BR>><BR>>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3
D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D<BR>>grant=20
INSERT,SELECT on root.* to <A title=3Dmailto:snort at ...274...=20
href=3D"mailto:snort at ...274...">snort at ...274...</A>; SET PASSWORD FOR=20
<BR>>snort at ...274...=3DPASSOWRD('********');<BR>>grant=20
CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to <A =
title=3Dmailto:snort at ...274...=20
href=3D"mailto:snort at ...274...">snort at ...274...</A>; <BR>>grant=20
CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;=20
<BR>>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D=3D=3D<BR>><BR>>This=20
was a step by step guide I had followed to set this up.  I'm =
<BR>>hoping=20
someone might be able to see what I'm missing.  =
Thnx<BR>><BR>> =20
<BR>><BR><BR><BR><BR>------------------------------------------------
-=
------<BR>This=20
SF.Net email is sponsored by BEA Weblogic Workshop FREE Java =
Enterprise<BR>J2EE=20
developer tools!<BR>Get your free copy of BEA WebLogic Workshop 8.1 =
today.<BR><A=20
title=3Dhttp://ads.osdn.com/?ad_id=3D5047&alloc_id=3D10808&op=3D
c=
lick=20
href=3D"http://ads.osdn.com/?ad_id=3D5047&alloc_id=3D10808&op=3D
c=
lick">http://ads.osdn.com/?ad_id=3D5047&alloc_id=3D10808&op=3Dcl
i=
ck</A><BR>_______________________________________________<BR>Snort-users
=

mailing list<BR><A title=3Dmailto:Snort-users at lists.sourceforge.net=20
href=3D"mailto:Snort-users at lists.sourceforge.net">Snort-users at ...4626...
c=
eforge.net</A><BR>Go=20
to this URL to change user options or unsubscribe:<BR><A=20
title=3Dhttps://lists.sourceforge.net/lists/listinfo/snort-users=20
href=3D"https://lists.sourceforge.net/lists/listinfo/snort-users">https:
/=
/lists.sourceforge.net/lists/listinfo/snort-users</A><BR>Snort-users=20
list archive:<BR><A=20
title=3Dhttp://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users=20
href=3D"http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users">http
:=
//www.geocrawler.com/redir-sf.php3?list=3Dsnort-users</A><BR><BR><BR><BR
>=
-- __--__-- <BR><BR>Message:=20
6<BR>From: "Patrick S. Harper" <<A=20
title=3Dmailto:patrick at ...4250...=20
href=3D"mailto:patrick at ...4250...">patrick at ...12358...
y=
guru.com</A>><BR>To:=20
"'Michael Steele'" <<A title=3Dmailto:michaels at ...9077...=20
href=3D"mailto:michaels at ...9077...">michaels at ...9077...</A>>,<BR>
&=
nbsp; =20
<<A title=3Dmailto:snort-users at lists.sourceforge.net=20
href=3D"mailto:snort-users at lists.sourceforge.net">snort-users at ...4626...
c=
eforge.net</A>>,<BR>  =20
"'Robert Spangler'" <<A title=3Dmailto:bms at ...4832...=20
href=3D"mailto:bms at ...4832...">bms at ...4832...</A>><BR>Sub
j=
ect: RE:=20
[Snort-users] Snort and MySQL<BR>Date: Sun, 29 Aug 2004 16:09:55=20
-0500<BR><BR> <BR>It looks like for some reason he did not give it
=
a=20
password in the conf<BR>file.  The "using password: NO" is the tip
=
off I=20
believe.  As well as the<BR>other output, it should look like
the=20
following.  Notice the "Database:<BR>password is set".  He =
does not=20
get that, but the other error at the end<BR>about using no =
password.. =20
<BR><BR>What does your output line in your conf file look=20
like?<BR><BR><BR>database: compiled support for ( mysql
)<BR>database:=20
configured to use=20
mysql<BR>database:         
=
user =3D=20
snort<BR>database: password is set<BR>database: database name =3D=20
snort<BR>database:         
=
host =3D=20
localhost<BR>database:   sensor name =3D=20
208.14.28.12<BR>database:     sensor id =3D =
2<BR>database:=20
inconsistent cid information for=20
sid=3D2<BR>          =
Recovering by=20
rolling forward the cid=3D35585<BR><BR><BR><BR>Patrick S. Harper | CISSP
=
RHCT=20
MCSE<BR><A title=3Dhttp://www.internetsecurityguru.com/=20
href=3D"http://www.internetsecurityguru.com">www.internetsecurityguru.co
m=
</A><BR><BR><A=20
title=3Dhttp://www.ntsug.org/ =
href=3D"http://www.ntsug.org">www.ntsug.org</A> -=20
Snort Users Group<BR><BR>"If there is no light at the end of the tunnel,
=
get=20
down there and light the<BR>damn thing =
yourself!"<BR> <BR>-----Original=20
Message-----<BR>From: <A =
title=3Dmailto:snort-users-admin at lists.sourceforge.net=20
href=3D"mailto:snort-users-admin at lists.sourceforge.net">snort-users-admi
n=
@lists.sourceforge.net</A><BR>[mailto:snort-users-admin at ...2652...
e=
.net]=20
On Behalf Of Michael Steele<BR>Sent: Sunday, August 29, 2004 1:52 =
PM<BR>To: <A=20
title=3Dmailto:snort-users at lists.sourceforge.net=20
href=3D"mailto:snort-users at lists.sourceforge.net">snort-users at ...4626...
c=
eforge.net</A><BR>Subject:=20
RE: [Snort-users] Snort and MySQL<BR><BR>Looks like you have no access =
to the=20
Snort database. Go back and make SURE<BR>you can access the database =
with the=20
credentials that you have in the<BR>snort.conf file on the MySQL output
=
database=20
line.<BR><BR>Kindest regards,<BR>Michael...<BR><BR>WINSNORT.com =
Management Team=20
Member<BR>-- <BR>Pick up your FREE Windows or UNIX Snort installation=20
guides       <BR><A=20
title=3Dmailto:support at ...9077...=20
href=3D"mailto:support at ...9077...">mailto:support at ...9077...</A><BR>
W=
ebsite:=20
<A title=3Dhttp://www.winsnort.com/=20
href=3D"http://www.winsnort.com">http://www.winsnort.com</A><BR>Snort: =
Open Source=20
Network IDS - <A title=3Dhttp://www.snort.org/=20
href=3D"http://www.snort.org">http://www.snort.org</A><BR><BR><BR>>=2
0
-----Original Message-----<BR>> From: <A=20
title=3Dmailto:snort-users-admin at lists.sourceforge.net=20
href=3D"mailto:snort-users-admin at lists.sourceforge.net">snort-users-admi
n=
@lists.sourceforge.net</A>=20
[mailto:snort-users- <BR>> <A =
title=3Dmailto:admin at lists.sourceforge.net=20
href=3D"mailto:admin at lists.sourceforge.net">admin at lists.sourceforge.net<
/=
A>] On=20
Behalf Of Robert Spangler<BR>> Sent: Sunday, August 29, 2004 10:35 =
AM<BR>>=20
To: <A title=3Dmailto:snort-users at lists.sourceforge.net=20
href=3D"mailto:snort-users at lists.sourceforge.net">snort-users at ...4626...
c=
eforge.net</A><BR>>=20
Subject: [Snort-users] Snort and MySQL<BR>> <BR>> Hello,<BR>> =
<BR>>=20
I seem to be having a problem setting up snort to use MySQL =
database.<BR>>=20
<BR>> When I run 'snort -c /etc/snort/snort.conf'  I get the=20
following:<BR>> <BR>>=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D<BR>> Running in IDS=20
mode<BR>> Log directory =3D /var/log/snort<BR>> <BR>> =
Initializing=20
Network Interface eth0<BR>>=20
<BR>>         --=3D=3D =
Initializing Snort=20
=3D=3D--<BR>> Initializing Output Plugins!<BR>> Decoding Ethernet
=
on interface=20
eth0<BR>> Initializing Preprocessors!<BR>> Initializing =
Plug-ins!<BR>>=20
Parsing Rules file /etc/snort/snort.conf<BR>> <BR>>=20
+++++++++++++++++++++++++++++++++++++++++++++++++++<BR>> Initializing
=
rule=20
chains...<BR>> database: compiled support for ( MySQL )<BR>> =
database:=20
configured to use MySQL<BR>>=20
database:          user =3D
=

snort<BR>> database: database name =3D snort<BR>>=20
database:          host =3D
=

localhost<BR>> database:   sensor name =3D =
192.168.1.100<BR>>=20
ERROR: database: MySQL_error: Access denied for user: <A=20
title=3D"mailto:'snort at ...274...'"=20
href=3D"mailto:'snort at ...274...'">'snort at ...274...'</A><BR>> =
(Using<BR>>=20
password: NO)<BR>> Fatal Error, Quitting..<BR>>=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D<BR>> <BR>> <BR>>=20
snort.conf has the following entry:<BR>> <BR>>=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D<BR>> output database:=20
log, MySQL, user=3Dsnort, password=3D******** <BR>> dbname=3Dsnort =
host=3Dlocalhost=20
<BR>> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D<BR>> <BR>>=20
<BR>> MySQL was setup using this line for snort:<BR>> <BR>>=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D<BR>> grant INSERT,SELECT=20
on root.* to <A title=3Dmailto:snort at ...274...=20
href=3D"mailto:snort at ...274...">snort at ...274...</A>; SET PASSWORD FOR =
<BR>> <A=20
title=3D"mailto:snort at ...274...=3DPASSOWRD('********'"=20
href=3D"mailto:snort at ...274...=3DPASSOWRD('********'">snort at ...274...=3D
P=
ASSOWRD('********'</A>);<BR>>=20
grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to <BR>> <A=20
title=3Dmailto:snort at ...274... =
href=3D"mailto:snort at ...274...">snort at ...274...</A>;=20
grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* <BR>> to
snort;=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=
=3D<BR>> <BR>> This was a=20
step by step guide I had followed to set this up.  I'm <BR>> =
hoping=20
someone might be able to see what I'm missing.  Thnx<BR>> =
<BR>>=20
--<BR>> <BR>> Regards<BR>> Robert<BR>> <BR>> =
Smile.....  It=20
increases your face value.<BR>> <BR>> <BR>> <BR>>=20
-------------------------------------------------------<BR>> This =
SF.Net=20
email is sponsored by BEA Weblogic Workshop FREE Java <BR>> =
Enterprise J2EE=20
developer tools!<BR>> Get your free copy of BEA WebLogic Workshop 8.1
=

today.<BR>> <A=20
title=3Dhttp://ads.osdn.com/?ad_id=3D5047&alloc_id=3D10808&op=3D
c=
lick=20
href=3D"http://ads.osdn.com/?ad_id=3D5047&alloc_id=3D10808&op=3D
c=
lick">http://ads.osdn.com/?ad_id=3D5047&alloc_id=3D10808&op=3Dcl
i=
ck</A><BR>>=20
_______________________________________________<BR>> Snort-users =
mailing=20
list<BR>> <A title=3Dmailto:Snort-users at lists.sourceforge.net=20
href=3D"mailto:Snort-users at lists.sourceforge.net">Snort-users at ...4626...
c=
eforge.net</A><BR>>=20
Go to this URL to change user options or unsubscribe:<BR>> <A=20
title=3Dhttps://lists.sourceforge.net/lists/listinfo/snort-users=20
href=3D"https://lists.sourceforge.net/lists/listinfo/snort-users">https:
/=
/lists.sourceforge.net/lists/listinfo/snort-users</A><BR>>=20
Snort-users list archive:<BR>> <A=20
title=3Dhttp://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users=20
href=3D"http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users">http
:=
//www.geocrawler.com/redir-sf.php3?list=3Dsnort-users</A><BR><BR><BR><BR
>=
<BR><BR>-------------------------------------------------------<BR>This=
20
SF.Net email is sponsored by BEA Weblogic Workshop FREE Java =
Enterprise<BR>J2EE=20
developer tools!<BR>Get your free copy of BEA WebLogic Workshop 8.1 =
today.<BR><A=20
title=3Dhttp://ads.osdn.com/?ad_id=3D5047&alloc_id=3D10808&op=3D
c=
lick=20
href=3D"http://ads.osdn.com/?ad_id=3D5047&alloc_id=3D10808&op=3D
c=
lick">http://ads.osdn.com/?ad_id=3D5047&alloc_id=3D10808&op=3Dcl
i=
ck</A><BR>_______________________________________________<BR>Snort-users
=

mailing list<BR><A title=3Dmailto:Snort-users at lists.sourceforge.net=20
href=3D"mailto:Snort-users at lists.sourceforge.net">Snort-users at ...4626...
c=
eforge.net</A><BR>Go=20
to this URL to change user options or unsubscribe:<BR><A=20
title=3Dhttps://lists.sourceforge.net/lists/listinfo/snort-users=20
href=3D"https://lists.sourceforge.net/lists/listinfo/snort-users">https:
/=
/lists.sourceforge.net/lists/listinfo/snort-users</A><BR>Snort-users=20
list archive:<BR><A=20
title=3Dhttp://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users=20
href=3D"http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users">http
:=
//www.geocrawler.com/redir-sf.php3?list=3Dsnort-users</A><BR><BR><BR><BR
>=
-- __--__-- <BR><BR>Message:=20
7<BR>From: Juan Fernandez <<A =
title=3Dmailto:Juan.Fernandez at ...2210...=20
href=3D"mailto:Juan.Fernandez at ...2210...">Juan.Fernandez at ...12359...
c=
om</A>><BR>To:=20
"<A title=3D"mailto:'snort-users at lists.sourceforge.net'"=20
href=3D"mailto:'snort-users at lists.sourceforge.net'">'snort-users at ...12361.....
o=
urceforge.net'</A>"<BR><<A=20
title=3Dmailto:snort-users at lists.sourceforge.net=20
href=3D"mailto:snort-users at lists.sourceforge.net">snort-users at ...4626...
c=
eforge.net</A>><BR>Date:=20
Mon, 30 Aug 2004 02:02:19 +0300<BR>Subject: [Snort-users] :  setup
=
postfix=20
please help !!!!!!!!!!1<BR><BR>This message is in MIME format. Since =
your mail=20
reader does not understand<BR>this format, some or all of this message =
may not=20
be =
legible.<BR><BR>------_=3D_NextPart_001_01C48E1C.3533D7EB<BR>Content-Typ
e=
:=20
text/plain;<BR>charset=3D"iso-8859-1"<BR><BR> <BR> <BR><BR><BR
>=
Hi guys,=20
<BR><BR> <BR><BR>Can someone please send to me his/heres main.cf =
file so I=20
can take it as an<BR>example to config my postfix on mt snort=20
sesnsors?<BR><BR> <BR><BR>I cant configure it aloe I massed up my =
main.cf=20
file..<BR><BR> <BR><BR>Please help...<BR><BR> <BR><BR>All I =
need to=20
configure is that the sensors will pass the mails to my<BR>internal =
exchange=20
server to my mailbox...<BR><BR> <BR><BR>Please help=20
!!!<BR><BR> <BR><BR>Thanks=20
!!!<BR><BR><BR>------_=3D_NextPart_001_01C48E1C.3533D7EB<BR>Content-Type
:=
=20
text/html;<BR>charset=3D"iso-8859-1"<BR><BR><!DOCTYPE HTML PUBLIC =
"-//W3C//DTD=20
HTML 4.0 Transitional//EN"><BR><HTML xmlns=3D"<A=20
title=3Dhttp://www.w3.org/TR/REC-html40=20
href=3D"http://www.w3.org/TR/REC-html40">http://www.w3.org/TR/REC-html40
<=
/A>"=20
xmlns:o =3D <BR>"urn:schemas-microsoft-com:office:office" xmlns:w =3D=20
<BR>"urn:schemas-microsoft-com:office:word"><HEAD><BR><META=
20
HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html;=20
charset=3Diso-8859-1"><BR><BR><BR><META content=3D"MSHTML =
6.00.2800.1458"=20
name=3DGENERATOR><BR><STYLE>@page Section1 {size: 595.3pt =
841.9pt;=20
margin: 1.0in 1.25in 1.0in 1.25in; }<BR>P.MsoNormal {<BR>FONT-SIZE: =
12pt;=20
MARGIN: 0in 0in 0pt; DIRECTION: rtl; FONT-FAMILY: "Times New Roman";=20
unicode-bidi: embed; TEXT-ALIGN: right<BR>}<BR>LI.MsoNormal =
{<BR>FONT-SIZE:=20
12pt; MARGIN: 0in 0in 0pt; DIRECTION: rtl; FONT-FAMILY: "Times New =
Roman";=20
unicode-bidi: embed; TEXT-ALIGN: right<BR>}<BR>DIV.MsoNormal =
{<BR>FONT-SIZE:=20
12pt; MARGIN: 0in 0in 0pt; DIRECTION: rtl; FONT-FAMILY: "Times New =
Roman";=20
unicode-bidi: embed; TEXT-ALIGN: right<BR>}<BR>A:link {<BR>COLOR:
blue;=20
TEXT-DECORATION: underline<BR>}<BR>SPAN.MsoHyperlink {<BR>COLOR:
blue;=20
TEXT-DECORATION: underline<BR>}<BR>A:visited {<BR>COLOR: purple;=20
TEXT-DECORATION: underline<BR>}<BR>SPAN.MsoHyperlinkFollowed {<BR>COLOR:
=
purple;=20
TEXT-DECORATION: underline<BR>}<BR>SPAN.EmailStyle17 {<BR>COLOR: =
windowtext;=20
FONT-FAMILY: Arial; mso-style-type: =
personal-compose<BR>}<BR>DIV.Section1=20
{<BR>page:
Section1<BR>}<BR></STYLE><BR></HEAD><BR><BODY=20
lang=3DEN-US vLink=3Dpurple link=3Dblue><BR><DIV><FONT =
face=3DArial=20
color=3D#0000ff=20
size=3D2></FONT>&nbsp;</DIV><BR><DIV><BR><DI
V=
=20
class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
<BR>size=3D2></FONT></DIV><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></DIV><BR><DIV><BR><DIV=20
class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
<BR>size=3D2></FONT></DIV><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></DIV><BR><DIV>&nbsp;</DIV&g
t=
;<BR><P=20
dir=3Dltr><BR><DIV class=3DOutlookMessageHeader dir=3Dltr =
align=3Dleft><FONT=20
face=3DTahoma <BR>size=3D2></FONT></DIV><FONT =
face=3DArial=20
size=3D2><SPAN <BR>style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial">Hi=20
guys,<o:p></o:p></SPAN></FONT>=20
<BR><P></P><BR><BLOCKQUOTE dir=3Drtl =
style=3D"MARGIN-LEFT:=20
0px"><BR>  <DIV class=3DSection1 dir=3Drtl><BR>  =
<P=20
class=3DMsoNormal dir=3Dltr <BR>  style=3D"DIRECTION: ltr; =
unicode-bidi: embed;=20
TEXT-ALIGN: left"><FONT face=3DArial <BR>  =
size=3D2><SPAN=20
<BR>  style=3D"FONT-SIZE: 10pt; FONT-FAMILY:=20
Arial"><o:p>&nbsp;</o:p></SPAN></FONT>&lt
;=
/P><BR> =20
<P class=3DMsoNormal dir=3Dltr <BR>  style=3D"DIRECTION: ltr; =
unicode-bidi:=20
embed; TEXT-ALIGN: left"><FONT face=3DArial <BR>  =
size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">Can someone please =
<BR> =20
send to me his/heres main.cf file so I can take it as an example to =
config my=20
<BR>  postfix on mt snort=20
sesnsors?<o:p></o:p></SPAN></FONT></P><BR>
&=
nbsp;=20
<P class=3DMsoNormal dir=3Dltr <BR>  style=3D"DIRECTION: ltr; =
unicode-bidi:=20
embed; TEXT-ALIGN: left"><FONT face=3DArial <BR>  =
size=3D2><SPAN=20
<BR>  style=3D"FONT-SIZE: 10pt; FONT-FAMILY:=20
Arial"><o:p>&nbsp;</o:p></SPAN></FONT>&lt
;=
/P><BR> =20
<P class=3DMsoNormal dir=3Dltr <BR>  style=3D"DIRECTION: ltr; =
unicode-bidi:=20
embed; TEXT-ALIGN: left"><FONT face=3DArial <BR>  =
size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">I cant configure it =
<BR> =20
aloe I massed up my main.cf=20
file..<o:p></o:p></SPAN></FONT></P><BR>&nb
s=
p;=20
<P class=3DMsoNormal dir=3Dltr <BR>  style=3D"DIRECTION: ltr; =
unicode-bidi:=20
embed; TEXT-ALIGN: left"><FONT face=3DArial <BR>  =
size=3D2><SPAN=20
<BR>  style=3D"FONT-SIZE: 10pt; FONT-FAMILY:=20
Arial"><o:p>&nbsp;</o:p></SPAN></FONT>&lt
;=
/P><BR> =20
<P class=3DMsoNormal dir=3Dltr <BR>  style=3D"DIRECTION: ltr; =
unicode-bidi:=20
embed; TEXT-ALIGN: left"><FONT face=3DArial <BR>  =
size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">Please <BR> =20
help...<o:p></o:p></SPAN></FONT></P><BR>&n
b=
sp;=20
<P class=3DMsoNormal dir=3Dltr <BR>  style=3D"DIRECTION: ltr; =
unicode-bidi:=20
embed; TEXT-ALIGN: left"><FONT face=3DArial <BR>  =
size=3D2><SPAN=20
<BR>  style=3D"FONT-SIZE: 10pt; FONT-FAMILY:=20
Arial"><o:p>&nbsp;</o:p></SPAN></FONT>&lt
;=
/P><BR> =20
<P class=3DMsoNormal dir=3Dltr <BR>  style=3D"DIRECTION: ltr; =
unicode-bidi:=20
embed; TEXT-ALIGN: left"><FONT face=3DArial <BR>  =
size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">All I need to =
<BR> =20
configure is that the sensors will pass the mails to my internal =
exchange=20
<BR>  server to my=20
mailbox...<o:p></o:p></SPAN></FONT></P><BR
>=
 =20
<P class=3DMsoNormal dir=3Dltr <BR>  style=3D"DIRECTION: ltr; =
unicode-bidi:=20
embed; TEXT-ALIGN: left"><FONT face=3DArial <BR>  =
size=3D2><SPAN=20
<BR>  style=3D"FONT-SIZE: 10pt; FONT-FAMILY:=20
Arial"><o:p>&nbsp;</o:p></SPAN></FONT>&lt
;=
/P><BR> =20
<P class=3DMsoNormal dir=3Dltr <BR>  style=3D"DIRECTION: ltr; =
unicode-bidi:=20
embed; TEXT-ALIGN: left"><FONT face=3DArial <BR>  =
size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">Please help
<BR> =20
!!!<o:p></o:p></SPAN></FONT></P><BR> 
=
<P=20
class=3DMsoNormal dir=3Dltr <BR>  style=3D"DIRECTION: ltr; =
unicode-bidi: embed;=20
TEXT-ALIGN: left"><FONT face=3DArial <BR>  =
size=3D2><SPAN=20
<BR>  style=3D"FONT-SIZE: 10pt; FONT-FAMILY:=20
Arial"><o:p>&nbsp;</o:p></SPAN></FONT>&lt
;=
/P><BR> =20
<P class=3DMsoNormal dir=3Dltr <BR>  style=3D"DIRECTION: ltr; =
unicode-bidi:=20
embed; TEXT-ALIGN: left"><FONT face=3DArial <BR>  =
size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">Thanks <BR> =20
!!!<o:p></o:p></SPAN></FONT></P></DIV&g
t=
;</BLOCKQUOTE></BODY></HTML><BR><BR>------_=3D_NextPar
t=
_001_01C48E1C.3533D7EB--<BR><BR><BR>-- __--__-- <BR><BR>Message:=20
8<BR>From: "Andy" <<A title=3Dmailto:andy at ...12349...=20
href=3D"mailto:andy at ...12349...">andy at ...12349...</A>><BR>To: <<A=20
title=3Dmailto:snort-users at lists.sourceforge.net=20
href=3D"mailto:snort-users at lists.sourceforge.net">snort-users at ...4626...
c=
eforge.net</A>><BR>Date:=20
Sun, 29 Aug 2004 18:22:48 -0500<BR>Subject: [Snort-users] glibc =
dependency=20
errors installing snort<BR><BR>Hi,<BR>I'm having problems installing =
snort, I'm=20
getting glibc dependency errors.<BR>I running RedHat 7.3, trying to =
install=20
snort-2.1.3-1.i386.rpm<BR><BR>I can't find a newer version of glibc =
other than=20
2.2.5 and really don't know<BR>what I'm doing anyway.<BR><BR>Am I having
=
these=20
problems because I'm running RH 7.3? Does snort 2.1.3-1<BR>run on RH=20
7.3?<BR><BR>Should I be installing a different =
package?<BR><BR>[root at ...12350...=20
snort]# rpm -ivh [root at ...12350... snort]# rpm=20
-ivh<BR>snort-2.1.3-1.i386.rpm<BR>error: failed=20
dependencies:<BR>       =20
libc.so.6(GLIBC_2.3)   is needed by =
snort-2.1.3-1<BR><BR>totally new=20
to this, hope you can=20
help.<BR><BR>Thanks,<BR>Andy<BR><BR><BR><BR><BR>-- __--__--
<BR><BR>_______=
________________________________________<BR>Snort-users=20
mailing list<BR><A title=3Dmailto:Snort-users at lists.sourceforge.net=20
href=3D"mailto:Snort-users at lists.sourceforge.net">Snort-users at ...4626...
c=
eforge.net</A><BR><A=20
title=3Dhttps://lists.sourceforge.net/lists/listinfo/snort-users=20
href=3D"https://lists.sourceforge.net/lists/listinfo/snort-users">https:
/=
/lists.sourceforge.net/lists/listinfo/snort-users</A><BR><BR><BR>End=20
of Snort-users Digest<BR><BR></DIV></DIV></BODY></HTML>

------=_NextPart_000_0030_01C48E0D.6A360260--





--__--__--

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest








More information about the Snort-users mailing list