[Snort-users] mysql error prevails...

Jack kingofnerds at ...11827...
Sat Oct 6 17:49:49 EDT 2012


Remember that in some cases localhost can be assigned a different number.
You might want to verify your hosts file.
On Oct 6, 2012 4:00 PM, "AllowOverride" <allowoverride at ...11827...> wrote:

> snort is working for sure:
>
> 1.
>
> # ls -alh /var/log/snort/
> total 1016K
> drwxr-xr-x  2 snort snort 4.0K Oct  6 11:36 .
> drwxr-xr-x 13 root  root  4.0K Oct  6 10:56 ..
> -rw-r--r--  1 root  root  6.8K Oct  5 23:26 alert
> -rw-r--r--  1 snort snort    0 Oct  4 10:26 barnyard2.waldo
> -rw-------  1 snort snort 997K Oct  6 01:43 snort.log.1349504795
> -rw-------  1 snort snort    0 Oct  6 11:36 snort.log.1349548617
>
> 2.
>
> sudo openvasd
> All plugins loaded
>
> after hitting 192.168.1.14 with openvas-client results:
>
> # ls -alh /var/log/snort/
> total 3.3M
> drwxr-xr-x  2 snort snort 4.0K Oct  6 11:36 .
> drwxr-xr-x 13 root  root  4.0K Oct  6 10:56 ..
> -rw-r--r--  1 root  root  392K Oct  6 12:50 alert
> -rw-r--r--  1 snort snort    0 Oct  4 10:26 barnyard2.waldo
> -rw-------  1 snort snort 997K Oct  6 01:43 snort.log.1349504795
> -rw-------  1 snort snort 2.0M Oct  6 12:50 snort.log.1349548617
>
> I presume alert was actively logging as well as it file size grew, as
> well as snort.log is now logging i use -A console option.
> I wonder if -A fast does the same - makes alert and snort.log grow.
> I will generate lots of traffic again with openvas and ping -f to see i
> barnyard2.waldo grows at some point... little smack testing in the
> network sense...
>
>
> 3.
>
> here is my local.rules per howtos:
>
> # ------------
> # LOCAL RULES
> # ------------
> # This file intentionally does not come with signatures.  Put your local
> # additions here.
> alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001;)
>
> 4.
>
> snort.rules is full. i wonder what happens if i cat >> snort.rules to
> local.rules lol... jk
>
> 5.
>
> what i find interesting is how after i installed pulledpork and ran it,
> it works, and when i hit 192.168.1.14 with openvas-client it logs
> to /var/log/snort/snort.log, so i assume local.rules AND snort.rules are
> working, but i can't tell for sure, as i can not get barnyard2 to import
> the info to mysql to take a look at it, since it is unified2 format.. i
> think.. can't tell:
>
> # less /var/log/snort/snort.log.1349548617
> "/var/log/snort/snort.log.1349548617" may be a binary file.  See it
> anyway?
>
> i just know the file size is growing.. good sign snort is working, and i
> know it grows when i simply ping 192.168.1.14 from remote host.
>
> 6.
>
> I'd like to import data from snort with barnyard2 into say snortreport
> or base-1.4.5.
>
> After than I will be able to try my hand at local.rule creation.
>
> i am still stuck with barnyard2 > mysql insertion portion.
>
> anything i willing try at this point, as the howtos do not really
> explain more. see attached for howtos i have been using.
> also, perms on some dirs were getting non-root perms like:
> 1210:1210 /etc/snort
>
> 7.
>
> suggestions anyone ??? im totally open to suggestions...
>
> more info to follow....
>
>
>
> ---------- Forwarded message ----------
> From: beenph <beenph at ...11827...>
> To: AllowOverride <allowoverride at ...11827...>
> Cc:
> Date: Sat, 6 Oct 2012 04:31:46 -0400
> Subject: Re: [Snort-users] mysql error prevails...
> On Fri, Oct 5, 2012 at 5:59 AM, AllowOverride <allowoverride at ...11827...>
> wrote:
> > you mean snort.* yes i have
> >
>
> Do you actually read e-mails and links sent to you such as the MySQL
> documentation?
>
>
> By wildcard i didin/t mean * but  %
>
> <SNIP
>
> Also have you tried to wildcard your access for the user you configured?
>
> UPDATE mysql.user SET host="%' WHERE user='YOURCONFIGUREDUSED';
>
> REF: https://dev.mysql.com/doc/refman/5.5/en/adding-users.html
>
> And make sure to flush--privileges/reload before testing .
> </SNIP>
>
>
> And in your Context "YOURCONFIGUREDUSER" should be snort.
>
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121006/d7a6b349/attachment.html>


More information about the Snort-users mailing list