[Snort-users] archivePlus problems

Jim Vonder jim_vonder at ...125...
Fri Mar 11 14:39:47 EST 2005

Thanks a ton!  It was the permission 'file' missing from the MySQL user.  
Also, thanks for the great script -- it does exactly what I was looking for.

As far as where I downloaded it, I believe I got it straight from the NTSUG 
site.  At least I eventually downloaded it from there to see if that would 
fix my problems.  I guess it's possible I go two versions from two different 
sites mixed up.  One problem I ran into was that I just edited the sample 
config file, and the application couldn't read the values from it correctly 
until I did the dos2unix.  The error I got was the same one I saw someone 
else mentioning when I did a google search -- can't connect to 'localhost, 
so I don't think I'm the only one with the problem.

-Jim Vonder

>From: Paul Schmehl <pauls at ...6838...>
>Reply-To: Paul Schmehl <pauls at ...6838...>
>To: Jim Vonder <jim_vonder at ...125...>,snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] archivePlus problems
>Date: Fri, 11 Mar 2005 15:55:53 -0600
>--On Friday, March 11, 2005 11:02:59 AM -0800 Jim Vonder 
><jim_vonder at ...125...> wrote:
>>Any ideas?  Has anyone else run it on Fedora?
>For troubleshooting purposes, there are a couple of things you can do to 
>help sort out what's going on.
>1) One of the options is -T, which defines the tmpfile location.  (I use 
>/var/db/mysql/tmp.)  Whereever it is that you are putting the tmp files, 
>you can tail the files to see what's in them.  (They're all ASCII text.)
>If there's data in there, you know that the script is reading the snort db 
>and writing to those files.
>If there's no data, check the permissions of the user you've defined in the 
>config file.  Try to login to the db from the commandline using that user 
>and its password.
>mysql -u {user} -p
>Also check the grants for that user to make sure it has the correct perms 
>to do what the script does.  For the snort db, it needs SELECT, DELETE and 
>FILE.  For the archive DB it needs INSERT, UPDATE and FILE privileges.
>N.B. The FILE privilege is very dangerous.  This account should be 
>localhost only or run over SSL and it should use a very strong password.
>2) In the archivePlus.pl script, on line 195 (immediately after this - my 
>$sensor_query = qq{SELECT * FROM sensor};), add this statement:
>DBI->trace (3, "(/path/mysql/can/write/to/)trace.out");
>This will write a trace file to the location you specify.  You can then 
>tail the file to see what caused the script to exit (success or failure). 
>This can be helpful to see exactly why the script is failing.)
>Keep in mind, if you have a *lot* of events to archive, the script will run 
>for quite a while.  If that is the case, try "hardcoding" the date to limit 
>the amount of data it has to handle.  (Uncomment line 19 and set the date, 
>using the *precise* format displayed, and the script will archive anything 
>*prior* to that date.)
>E.g. if you have 20 days worth of data in the db, and you want only 7, set 
>the archive date to be 17 days ago, run the script, when it completes 
>change the date to 14 days ago, and so forth.  Of course, you can also do 
>this from the commandline by using -t N days; -t 17, then -t 14, etc.
>Hope this helps.
>Paul Schmehl (pauls at ...6838...)
>Adjunct Information Security Officer
>The University of Texas at Dallas
>AVIEN Founding Member
>SF email is sponsored by - The IT Product Guide
>Read honest & candid reviews on hundreds of IT Products from real users.
>Discover which products truly live up to the hype. Start reading now.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

Express yourself instantly with MSN Messenger! Download today - it's FREE! 

More information about the Snort-users mailing list