[Snort-users] archivePlus problems

Paul Schmehl pauls at ...6838...
Fri Mar 11 13:56:24 EST 2005


--On Friday, March 11, 2005 11:02:59 AM -0800 Jim Vonder 
<jim_vonder at ...125...> wrote:
>
> Any ideas?  Has anyone else run it on Fedora?
>
For troubleshooting purposes, there are a couple of things you can do to 
help sort out what's going on.

1) One of the options is -T, which defines the tmpfile location.  (I use 
/var/db/mysql/tmp.)  Whereever it is that you are putting the tmp files, 
you can tail the files to see what's in them.  (They're all ASCII text.)

If there's data in there, you know that the script is reading the snort db 
and writing to those files.

If there's no data, check the permissions of the user you've defined in the 
config file.  Try to login to the db from the commandline using that user 
and its password.
mysql -u {user} -p

Also check the grants for that user to make sure it has the correct perms 
to do what the script does.  For the snort db, it needs SELECT, DELETE and 
FILE.  For the archive DB it needs INSERT, UPDATE and FILE privileges.

N.B. The FILE privilege is very dangerous.  This account should be 
localhost only or run over SSL and it should use a very strong password.

2) In the archivePlus.pl script, on line 195 (immediately after this - my 
$sensor_query = qq{SELECT * FROM sensor};), add this statement:
DBI->trace (3, "(/path/mysql/can/write/to/)trace.out");

This will write a trace file to the location you specify.  You can then 
tail the file to see what caused the script to exit (success or failure). 
This can be helpful to see exactly why the script is failing.)

Keep in mind, if you have a *lot* of events to archive, the script will run 
for quite a while.  If that is the case, try "hardcoding" the date to limit 
the amount of data it has to handle.  (Uncomment line 19 and set the date, 
using the *precise* format displayed, and the script will archive anything 
*prior* to that date.)

E.g. if you have 20 days worth of data in the db, and you want only 7, set 
the archive date to be 17 days ago, run the script, when it completes 
change the date to 14 days ago, and so forth.  Of course, you can also do 
this from the commandline by using -t N days; -t 17, then -t 14, etc.

Hope this helps.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-users mailing list