[Snort-users] mysql error prevails...

beenph beenph at ...11827...
Sat Oct 6 14:59:27 EDT 2012


On Sat, Oct 6, 2012 at 2:51 PM, AllowOverride <allowoverride at ...11827...> wrote:
> ok, beenph, i did what you suggested, here are new grants for snort
> user:
>

Your not there yet

Your user should be seen as snort@'%'

not snort@'localhost



> mysql> show grants for 'snort'@'localhost';
> +-----------------------------------------------------------------------------------------------------------------------------------------------+
> | Grants for snort at ...274...
> |
> +-----------------------------------------------------------------------------------------------------------------------------------------------+
> | GRANT SELECT, INSERT, UPDATE, DELETE, CREATE ON *.* TO
> 'snort'@'localhost' IDENTIFIED BY PASSWORD '*hidden-sorry' |
> | GRANT SELECT, INSERT, UPDATE, DELETE, CREATE ON `snort`.* TO
> 'snort'@'localhost'
> |
> +-----------------------------------------------------------------------------------------------------------------------------------------------+
> 2 rows in set (0.00 sec)
>
> mysql> flush privileges;
> Query OK, 0 rows affected (0.00 sec)
>
> 1.
> just for good measure restarting mysql service:
>
> # service mysql restart
> mysql stop/waiting
> mysql start/running, process 2114
>
> # service mysql status
> mysql start/running, process 2114
>
>
> 2.
> my.cnf unchanged:
>
> [client]
> port            = 3306
> socket          = /var/run/mysqld/mysqld.sock
>
> [mysqld_safe]
> socket          = /var/run/mysqld/mysqld.sock
> nice            = 0
>
>  localhost which is more compatible and is not less secure.
> bind-address            = 127.0.0.1
> (i changed this before, per email suggestions, now its back to default
> 127...
>
> 3.
>
> /etc/mysql/debian.cnf  defaults:
>
> # Automatically generated for Debian scripts. DO NOT TOUCH!
> [client]
> host     = localhost
> user     = debian-sys-maint
> password = sorry-hidden
> socket   = /var/run/mysqld/mysqld.sock
> [mysql_upgrade]
> host     = localhost
> user     = debian-sys-maint
> password = sorry-hidden
> socket   = /var/run/mysqld/mysqld.sock
> basedir  = /usr
>
>
> 3.
>
> now, trying to connect again by running barnyard2:
>
> a. start snort:
>
> /usr/local/bin/snort -A fast -q -u snort -g snort
> -c /etc/snort/etort.conf -i eth0 &
> [1] 2276
>
> # tail -f /var/log/syslog
> Oct  6 11:36:57 hidden kernel: [ 2423.983662] device eth0 entered
> promiscuous mode
>
>
> b. start barnyard2:
>
> /usr/local/bin/barnyard2 -c /etc/snort/etc/barnyard2.conf
> -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D &
> [2] 2296
>
>
> Oct  6 11:38:17 jupiter barnyard2[2296]: Running in Continuous mode
> Oct  6 11:38:17 jupiter barnyard2[2296]:
> Oct  6 11:38:17 jupiter barnyard2[2296]:         --== Initializing
> Barnyard2 ==--
> Oct  6 11:38:17 jupiter barnyard2[2296]: Initializing Input Plugins!
> Oct  6 11:38:17 jupiter barnyard2[2296]: Initializing Output Plugins!
> Oct  6 11:38:17 jupiter barnyard2[2296]: Parsing config file
> "/etc/snort/etc/barnyard2.conf"
> Oct  6 11:38:25 jupiter barnyard2[2296]: Log directory
> = /var/log/barnyard2
> Oct  6 11:38:25 jupiter barnyard2[2296]: Initializing daemon mode
> Oct  6 11:38:25 jupiter barnyard2[2297]: Daemon initialized, signaled
> parent pid: 2296
> Oct  6 11:38:25 jupiter barnyard2[2297]: PID path stat checked out ok,
> PID path set to /var/run/
> Oct  6 11:38:25 jupiter barnyard2[2297]: Writing PID "2297" to file
> "/var/run//barnyard2_eth0.pid"
> Oct  6 11:38:25 jupiter barnyard2[2296]: Daemon parent exiting
> Oct  6 11:38:26 jupiter barnyard2[2297]: FATAL ERROR: database:
> mysql_error: Access denied for user 'snort'@'localhost' (using password:
> YES)
>
> ... also
> Oct  6 11:39:01 jupiter CRON[2300]: (root) CMD (
> [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] &&
> find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin
> +$(/usr/lib/php5/maxlifetime) ! -execdir fuser -s {} 2>/dev/null \;
> -delete)
>
> interesting...
>
> ok welp, as you can see, i am still unable to connect locally. i will
> try this cmd at terminal... to rule out some networking issue,,
>
> stand by....
>
>
> nope, also tried running as snort user, which leads me to another
> question,,,
>
> 1. should i be running barnyard2 and snort processes with root, or snort
> user?
> the howtos mention chmoding perms chmod 777 /var/log/barnyard2 which
> would imply barnyard2 should be run as non-root user...
> but when i ran same cmd above logged in as snort user, i Fatal Error:
>
> -== Initializing Barnyard2 ==--
> Oct  6 11:43:58 jupiter barnyard2[2497]: Initializing Input Plugins!
> Oct  6 11:43:58 jupiter barnyard2[2497]: Initializing Output Plugins!
> Oct  6 11:43:58 jupiter barnyard2[2497]: Parsing config file
> "/etc/snort/etc/barnyard2.conf"
> Oct  6 11:44:07 jupiter barnyard2[2497]: Log directory
> = /var/log/barnyard2
> Oct  6 11:44:07 jupiter barnyard2[2497]: FATAL ERROR: OpenAlertFile() =>
> fopen() alert file /var/log/barnyard2/barnyard2.alert: Permission denied
>
> so..
>
> 2. which users can/should be running snort, barnyard2 services by
> default just to get this working?
> i think this might be the issue, for ubuntu servers have everything
> involved set as root:root and the howtos mention chmod on some dirs..
> just thinking outloud,,, any suggestions about perms for dirs as well?
> what works easiest and consistently with default ./configure installs.
>
> thanks...
>
>
>
>
> ~#
> [2]+  Done                    /usr/local/bin/barnyard2
> -c /etc/snort/etc/barnyard2.conf -d /var/log/snort -f snort.log
> -w /var/log/snort/barnyard2.waldo -D
>
>
>
> ---------- Forwarded message ----------
> From: beenph <beenph at ...11827...>
> To: AllowOverride <allowoverride at ...11827...>
> Cc:
> Date: Sat, 6 Oct 2012 04:31:46 -0400
> Subject: Re: [Snort-users] mysql error prevails...
> On Fri, Oct 5, 2012 at 5:59 AM, AllowOverride <allowoverride at ...11827...> wrote:
>> you mean snort.* yes i have
>>
>
> Do you actually read e-mails and links sent to you such as the MySQL
> documentation?
>
>
> By wildcard i didin/t mean * but  %
>
> <SNIP
>
> Also have you tried to wildcard your access for the user you configured?
>
> UPDATE mysql.user SET host="%' WHERE user='YOURCONFIGUREDUSED';
>
> REF: https://dev.mysql.com/doc/refman/5.5/en/adding-users.html
>
> And make sure to flush--privileges/reload before testing .
> </SNIP>
>
>
> And in your Context "YOURCONFIGUREDUSER" should be snort.
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list