[Snort-users] MYSQL 4.0 root login attempt

David Naylor DNaylor at ...13086...
Wed Aug 17 09:45:43 EDT 2005


Thanks for the tips!  It does seem to stem from something killing the MySQL server as an automated process.  I'll investigate and report back.


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Paul
Schmehl
Sent: Tuesday, August 16, 2005 4:48 PM
To: Snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] MYSQL 4.0 root login attempt


--On Tuesday, August 16, 2005 16:24:36 -0500 David Naylor 
<DNaylor at ...13086...> wrote:

> It's running on Red Hat Linux (which I'm not real familiar with).  What
> is this HUPing stuff all about?
>
When the syslog daemon turns over log files, it usually restarts the 
process that writes to the file so it will begin writing to a new one.  If 
you look at man (1) kill and man (5) newsyslog.conf, you'll see what I mean.

Kill has several options it can use, including TERM, which means terminate 
the process normally, KILL, which means kill the process unconditionally, 
and HUP, which means "hangup" and restart.  If your install of snort 
created an entry in newsyslog.conf that tells syslog to turn over the snort 
logfile and HUP the daemon, that would explain why this happens every night.

RedHat uses a script called logrotate to turn over log files and restart 
daemons.  IIRC, the scripts are in /etc/logrotate.d/ (I don't use RedHat 
any more, so I'm going by memory.)  If there's a script in there named 
"snort", then it's probably restarting the daemon every night.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list