[Snort-users] RE: [PMX:#] IIS_unicode error when running snort Snort-users digest, Vol 1 #4499 - 3 msgs

permalink · #1 (**permalink**) 08-30-2004

My Installation of snort is fine when I attempt to run snort -c
/etc/snort/snort.conf -l /var/snort/log=20

I get a IIS_UNICODE error, can anyone point me to where this has to be
directed to in the snort.conf file?? It's driving me batty!! Running on
linux RH9.

Help!!

-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of
snort-users-request@lists.sourceforge.net
Sent: Monday, 30 August 2004 9:18 AM
To: snort-users@lists.sourceforge.net
Subject: [PMX:#] Snort-users digest, Vol 1 #4499 - 3 msgs

Send Snort-users mailing list submissions to
snort-users@lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/...fo/snort-users
or, via email, send a message with subject or body 'help' to
snort-users-request@lists.sourceforge.net

You can reach the person managing the list at
snort-users-admin@lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."

Today's Topics:

1. Re: Snort and MySQL [SOLVED MAYBE] (Robert Spangler)
2. Re: glibc dependency errors installing snort (James Riden)
3. Snort and MySQL (FAzle Rokib)

--__--__--

Message: 1
From: Robert Spangler <bms@zoominternet.net>
To: snort-users@lists.sourceforge.net
Subject: Re: [Snort-users] Snort and MySQL [SOLVED MAYBE]
Date: Sun, 29 Aug 2004 20:02:29 -0400

On Sun August 29 2004 13:35, Robert Spangler wrote:

> I seem to be having a problem setting up snort to use MySQL database.

I had an error in my snort.conf file

> snort.conf has the following entry:
>
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D
> output database: log, MySQL, user=3Dsnort, password=3D********
dbname=3Dsnort
> host=3Dlocalhost
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D

The above was placed in the wrong area of the config. When this was
corrected=20
snort seemed to run without any problems.

NOW

I don't think things are running correctly. I run a scan against my
machine=20
using CIS and it does it's reporting but I never see anything in ACID or

OpenAanval.

I used the following quick setup guide written by Patrick Harper at=20
http://www.internetsecurityguru.com/

--=20

Regards
Robert

Smile..... It increases your face value.

--__--__--

Message: 2
To: "Andy" <andy@page55.com>
Cc: <snort-users@lists.sourceforge.net>
Subject: Re: [Snort-users] glibc dependency errors installing snort
From: James Riden <j.riden@massey.ac.nz>
Date: Mon, 30 Aug 2004 12:18:48 +1200

"Andy" <andy@page55.com> writes:

> Hi,
> I'm having problems installing snort, I'm getting glibc dependency
errors.
> I running RedHat 7.3, trying to install snort-2.1.3-1.i386.rpm
>
> I can't find a newer version of glibc other than 2.2.5 and really
don't know
> what I'm doing anyway.
>
> Am I having these problems because I'm running RH 7.3? Does snort
2.1.3-1
> run on RH 7.3?
>
> Should I be installing a different package?
>
> [root@tunes snort]# rpm -ivh [root@tunes snort]# rpm -ivh
> snort-2.1.3-1.i386.rpm
> error: failed dependencies:
> libc.so.6(GLIBC_2.3) is needed by snort-2.1.3-1

I'd go to Fedora Core 1 at least if you can. I've done an upgrade from
7.3 to FC1 and it went OK, and snort 2.2.0 is happily working on that
machine.

Otherwise, try getting the appropriate rpms from here:
http://dag.wieers.com/packages/snort/

cheers,
Jamie
--=20
James Riden / j.riden@massey.ac.nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/

--__--__--

Message: 3
From: "FAzle Rokib" <rokib@itsits.com>
To: <snort-users@lists.sourceforge.net>
Date: Sun, 29 Aug 2004 21:16:13 -0400
Subject: [Snort-users] Snort and MySQL

This is a multi-part message in MIME format.

------=3D_NextPart_000_0030_01C48E0D.6A360260
Content-Type: text/plain;
charset=3D"iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Try this:

mysql> Grant All On snort.* to snort@localhost<mailto:snort@localhost>;

or (if you have a password for snort user)=3D20

mysql> Grant All On snort.* to snort@localhost<mailto:snort@localhost> =
=3D
Identified By 'password';

[****If you have a password for snort user, you must use Identified By =
=3D
clause]

Message: 1
From: "Michael Steele" =3D
<michaels@winsnort.com<mailto:michaels@winsnort.co m>>
To: =3D
<snort-users@lists.sourceforge.net<mailto:snort-users@lists.sourceforge.
n=3D
et>>
Subject: RE: [Snort-users] Snort and MySQL
Date: Sun, 29 Aug 2004 11:52:02 -0700

Looks like you have no access to the Snort database. Go back and make =
=3D
SURE
you can access the database with the credentials that you have in the
snort.conf file on the MySQL output database line.

Kindest regards,=3D20
Michael...

WINSNORT.com Management Team Member
--=3D20
Pick up your FREE Windows or UNIX Snort installation guides =3D20
mailto:support@winsnort.com<mailto:support@winsnor t.com>
Website: http://www.winsnort.com<http://www.winsnort.com/>
Snort: Open Source Network IDS - =3D
http://www.snort.org<http://www.snort.org/>

> -----Original Message-----
> From: =3D
snort-users-admin@lists.sourceforge.net<mailto:snort-users-admin@lists.s
o=3D
urceforge.net> [mailto:snort-users-
> admin@lists.sourceforge.net<mailto:a... rceforge.net>] On =
=3D
Behalf Of Robert Spangler
> Sent: Sunday, August 29, 2004 10:35 AM
> To: =3D
snort-users@lists.sourceforge.net<ma...ers@lists.sourceforge.n
e=3D
t>
> Subject: [Snort-users] Snort and MySQL
>=3D20
> Hello,
>=3D20
> I seem to be having a problem setting up snort to use MySQL database.
>=3D20
> When I run 'snort -c /etc/snort/snort.conf' I get the following:
>=3D20
> =3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D
> Running in IDS mode
> Log directory =3D3D /var/log/snort
>=3D20
> Initializing Network Interface eth0
>=3D20
> --=3D3D=3D3D Initializing Snort =3D3D=3D3D--
> Initializing Output Plugins!
> Decoding Ethernet on interface eth0
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file /etc/snort/snort.conf
>=3D20
> ++++++++++++++++++++++++++++++++++++++++++++++++++ +
> Initializing rule chains...
> database: compiled support for ( MySQL )
> database: configured to use MySQL
> database: user =3D3D snort
> database: database name =3D3D snort
> database: host =3D3D localhost
> database: sensor name =3D3D 192.168.1.100
> ERROR: database: MySQL_error: Access denied for user: =3D
'snort@localhost'<mailto:'snort@localhost'>
> (Using
> password: NO)
> Fatal Error, Quitting..
> =3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D
>=3D20
>=3D20
> snort.conf has the following entry:
>=3D20
> =3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D
> output database: log, MySQL, user=3D3Dsnort, password=3D3D******** =3D
dbname=3D3Dsnort
> host=3D3Dlocalhost
> =3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D
>=3D20
>=3D20
> MySQL was setup using this line for snort:
>=3D20
> =3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D
> grant INSERT,SELECT on root.* to =3D
snort@localhost<mailto:snort@localhost>;
> SET PASSWORD FOR =3D
snort@localhost=3D3DPASSOWRD('********'<mailto:sno rt@localhost=3D3DPASSOW=
RD(
'=3D
********'>);
> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to =3D
snort@localhost<mailto:snort@localhost>;
> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;
> =3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D
>=3D20
> This was a step by step guide I had followed to set this up. I'm =3D
hoping
> someone might be able to see what I'm missing. Thnx
>=3D20
> --
>=3D20
> Regards
> Robert
>=3D20
> Smile..... It increases your face value.
>=3D20
>=3D20
>=3D20
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> =3D
http://ads.osdn.com/?ad_id=3D3D5047&alloc_id=3D3D10808&op=3D3Dclick<ht tp:=
//ads
..=3D
osdn.com/?ad_id=3D3D5047&alloc_id=3D3D10808&op=3D3Dclick>
> _______________________________________________
> Snort-users mailing list
> =3D
Snort-users@lists.sourceforge.net<ma...ers@lists.sourceforge.n
e=3D
t>
> Go to this URL to change user options or unsubscribe:
> =3D
https://lists.sourceforge.net/lists/listinfo/snort-users<https://lists.s
o=3D
urceforge.net/lists/listinfo/snort-users>
> Snort-users list archive:
> =3D
http://www.geocrawler.com/redir-sf.php3?list=3D3Dsnort-users<http://www.g=
e
o=3D
crawler.com/redir-sf.php3?list=3D3Dsnort-users>

-- __--__--=20

Message: 2
From: "pfeito" <pfeito@netcabo.pt<mailto:pfeito@netcabo.pt>>
To: "'Keith W. McCammon'" =3D
<mccammon@gmail.com<mailto:mccammon@gmail.com>>,
<snort-users@lists.sourceforge.net<mailto:snort-users@lists.sourceforge.
n=3D
et>>,
<hackerwacker@cybermesa.com<mailto:hackerwacker@cy bermesa.com>>
Subject: RE: [Snort-users] Slow down TCP connections
Date: Sun, 29 Aug 2004 20:13:54 +0100

I don't really have a final purpose, I'm just digging out what proactive
stuff there is out there for Snort.=3D20
I don't need it, I just thought of it, as an example of proactive
functionality and wanted to find out if there is such thing. I guess it
=3D
is
kind of stupid.... although it could be useful in an snort+honeypot
scenario. Don't really put much though in it.

> Why are you seeking and IDS to do traffic queueing ?
No. That would be like trying to cut a steak with a spoon :P !

> -----Original Message-----
> From: =3D
snort-users-admin@lists.sourceforge.net<mailto:snort-users-admin@lists.s
o=3D
urceforge.net> [mailto:snort-users-
> admin@lists.sourceforge.net<mailto:a... rceforge.net>] On =
=3D
Behalf Of Keith W. McCammon
> Sent: domingo, 29 de Agosto de 2004 18:14
> To: =3D
snort-users@lists.sourceforge.net<ma...ers@lists.sourceforge.n
e=3D
t>
> Subject: Re: [Snort-users] Slow down TCP connections
>=3D20
> > Right know, I've just compiled and installed snort 2.2.0 with =3D
flexresp2
> > support. I'm about to test flexresp2 capabilities, but It seems to =
=3D
have
> no
> > support for slowing down TCP connections (i.e. for slowing down TCP
> Scans
> > for instance...)
>=3D20
> Why would Snort want to "slow down" a TCP scan? Snort will catch it,
> and under certain circumstances, flexresp2 can reset those
> connections. That's pretty much the extent of Snort's involvement.
>=3D20
> > Do you know any plug-in that allows Snort to slow down TCP =3D
connections
> speed
> > (i.e. resize TCP window size) ?
>=3D20
> No. What would you accomplish by doing this? Either block the
> traffic or don't. Slowing it down won't really get you anywhere
> (it'll just take the attacker longer to do the same thing).
>=3D20
>=3D20
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> =3D
http://ads.osdn.com/?ad_id=3D3D5047&alloc_id=3D3D10808&op=3D3Dclick<ht tp:=
//ads
..=3D
osdn.com/?ad_id=3D3D5047&alloc_id=3D3D10808&op=3D3Dclick>
> _______________________________________________
> Snort-users mailing list
> =3D
Snort-users@lists.sourceforge.net<ma...ers@lists.sourceforge.n
e=3D
t>
> Go to this URL to change user options or unsubscribe:
> =3D
https://lists.sourceforge.net/lists/listinfo/snort-users<https://lists.s
o=3D
urceforge.net/lists/listinfo/snort-users>
> Snort-users list archive:
> =3D
http://www.geocrawler.com/redir-sf.php3?list=3D3Dsnort-users<http://www.g=
e
o=3D
crawler.com/redir-sf.php3?list=3D3Dsnort-users>

-- __--__--=20

Message: 3
From: "Jim Hendrick" =3D
<jrhendri@maine.rr.com<mailto:jrhendri@maine.rr.co m>>
To: "'pfeito'" <pfeito@netcabo.pt<mailto:pfeito@netcabo.pt>>, =3D
<snort-users@lists.sourceforge.net<mailto:snort-users@lists.sourceforge.
n=3D
et>>
Subject: RE: [Snort-users] Slow down TCP connections
Date: Sun, 29 Aug 2004 16:22:28 -0400

If you are looking to slow down scans, try a tarpit (e.g. labrea)
flexrsp is really designed to reset TCP connections to halt an attack.

-----Original Message-----
From: =3D
snort-users-admin@lists.sourceforge.net<mailto:snort-users-admin@lists.s
o=3D
urceforge.net>
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of pfeito
Sent: Sunday, August 29, 2004 12:57 PM
To: =3D
snort-users@lists.sourceforge.net<ma...ers@lists.sourceforge.n
e=3D
t>
Subject: [Snort-users] Slow down TCP connections

Hi Guys,

I'm searching for pro-active plug-ins for Snort.=3D3D20

Right know, I've just compiled and installed snort 2.2.0 with flexresp2
support. I'm about to test flexresp2 capabilities, but It seems to have
=3D
=3D3D
no
support for slowing down TCP connections (i.e. for slowing down TCP =
=3D3D
Scans
for instance...)

Do you know any plug-in that allows Snort to slow down TCP connections =
=3D
=3D3D
speed
(i.e. resize TCP window size) ?

Thanks,
-pfeito

-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=3D3D3D504...p=3D3D3Dclick=
<http
:=3D
//ads.osdn.com/?ad_id=3D3D3D5047&alloc_id=3D3D3D10808&op=3D3D3Dcl ick>
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net<ma...ers@lists.sourceforge.n
e=3D
t>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users<https://lists.s
o=3D
urceforge.net/lists/listinfo/snort-users>
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3D3D3Dsnort-users<http://www=
..
g=3D
eocrawler.com/redir-sf.php3?list=3D3D3Dsnort-users>

-- __--__--=20

Message: 4
From: "pfeito" <pfeito@netcabo.pt<mailto:pfeito@netcabo.pt>>
To: "'Jim Hendrick'" =3D
<jrhendri@maine.rr.com<mailto:jrhendri@maine.rr.co m>>,
<snort-users@lists.sourceforge.net<mailto:snort-users@lists.sourceforge.
n=3D
et>>
Subject: RE: [Snort-users] Slow down TCP connections
Date: Sun, 29 Aug 2004 21:36:32 +0100

That's a cool thing to play around. But right now I'm only studying =3D
plugins
or modules for Snort. The slow down functionality was only one I example
=3D
I
thought, but it seems not to make sense in a IDS. I'm concentrating =3D
right
now in developing one or two demos with flexresp.
Thanks,
-pfeito

> -----Original Message-----
> From: Jim Hendrick [mailto:jrhendri@maine.rr.com]
> Sent: domingo, 29 de Agosto de 2004 21:22
> To: 'pfeito'; =3D
snort-users@lists.sourceforge.net<ma...ers@lists.sourceforge.n
e=3D
t>
> Subject: RE: [Snort-users] Slow down TCP connections
>=3D20
> If you are looking to slow down scans, try a tarpit (e.g. labrea)
> flexrsp is really designed to reset TCP connections to halt an attack.
>=3D20
> -----Original Message-----
> From: =3D
snort-users-admin@lists.sourceforge.net<mailto:snort-users-admin@lists.s
o=3D
urceforge.net>
> [mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of pfeito
> Sent: Sunday, August 29, 2004 12:57 PM
> To: =3D
snort-users@lists.sourceforge.net<ma...ers@lists.sourceforge.n
e=3D
t>
> Subject: [Snort-users] Slow down TCP connections
>=3D20
>=3D20
> Hi Guys,
>=3D20
> I'm searching for pro-active plug-ins for Snort.
>=3D20
> Right know, I've just compiled and installed snort 2.2.0 with =3D
flexresp2
> support. I'm about to test flexresp2 capabilities, but It seems to =3D
have no
> support for slowing down TCP connections (i.e. for slowing down TCP =
=3D
Scans
> for instance...)
>=3D20
> Do you know any plug-in that allows Snort to slow down TCP connections
> speed
> (i.e. resize TCP window size) ?
>=3D20
> Thanks,
> -pfeito
>=3D20
>=3D20
>=3D20
>=3D20
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> =3D
http://ads.osdn.com/?ad_id=3D3D5047&alloc_id=3D3D10808&op=3D3Dclick<ht tp:=
//ads
..=3D
osdn.com/?ad_id=3D3D5047&alloc_id=3D3D10808&op=3D3Dclick>
> _______________________________________________
> Snort-users mailing list
> =3D
Snort-users@lists.sourceforge.net<ma...ers@lists.sourceforge.n
e=3D
t>
> Go to this URL to change user options or unsubscribe:
> =3D
https://lists.sourceforge.net/lists/listinfo/snort-users<https://lists.s
o=3D
urceforge.net/lists/listinfo/snort-users>
> Snort-users list archive:
> =3D
http://www.geocrawler.com/redir-sf.php3?list=3D3Dsnort-users<http://www.g=
e
o=3D
crawler.com/redir-sf.php3?list=3D3Dsnort-users>
>=3D20

-- __--__--=20

Message: 5
From: "Patrick S. Harper" =3D
<patrick@internetsecurityguru.com<mailto:patrick@i nternetsecurityguru.co
m=3D
>>
To: "'Miikka Hattberg'" <miikka@miikkah.org<mailto:miikka@miikkah.org>>,
=3D
<snort-users@lists.sourceforge.net<mailto:snort-users@lists.sourceforge.
n=3D
et>>
Subject: RE: [Snort-users] Snort and MySQL
Date: Sun, 29 Aug 2004 16:03:54 -0500

Not if you have your conf file set up right. The output database line =
=3D
has
that info. =3D20

Patrick S. Harper | CISSP RHCT MCSE
www.internetsecurityguru.com<http://www.internetsecurityguru.com/>

www.ntsug.org<http://www.ntsug.org/> - Snort Users Group

"If there is no light at the end of the tunnel, get down there and light
=3D
the
damn thing yourself!"
=3D20
-----Original Message-----
From: =3D
snort-users-admin@lists.sourceforge.net<mailto:snort-users-admin@lists.s
o=3D
urceforge.net>
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Miikka
Hattberg
Sent: Sunday, August 29, 2004 1:49 PM
To: =3D
snort-users@lists.sourceforge.net<ma...ers@lists.sourceforge.n
e=3D
t>
Subject: Re: [Snort-users] Snort and MySQL

I might be totally off, but shouldn't you specify the MySQL username in
=3D
the
command whe you start snort.
like ' snort -u snort -c /etc/snort/snort.conf '

m.

Robert Spangler wrote:

>Hello,
>
>I seem to be having a problem setting up snort to use MySQL database.
>
>When I run 'snort -c /etc/snort/snort.conf' I get the following:
>
>=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3 D=3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3
D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D
>Running in IDS mode
>Log directory =3D3D /var/log/snort
>
>Initializing Network Interface eth0
>
> --=3D3D=3D3D Initializing Snort =3D3D=3D3D--
>Initializing Output Plugins!
>Decoding Ethernet on interface eth0
>Initializing Preprocessors!
>Initializing Plug-ins!
>Parsing Rules file /etc/snort/snort.conf
>
>+++++++++++++++++++++++++++++++++++++++++++++++++ ++
>Initializing rule chains...
>database: compiled support for ( MySQL )
>database: configured to use MySQL
>database: user =3D3D snort
>database: database name =3D3D snort
>database: host =3D3D localhost
>database: sensor name =3D3D 192.168.1.100
>ERROR: database: MySQL_error: Access denied for user: =3D
'snort@localhost'<mailto:'snort@localhost'>=3D20
>(Using
>password: NO)
>Fatal Error, Quitting..
>=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3 D=3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3
D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D
>
>
>snort.conf has the following entry:
>
>=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3 D=3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3
D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D
>output database: log, MySQL, user=3D3Dsnort, password=3D3D******** =3D
dbname=3D3Dsnort=3D20
>host=3D3Dlocalhost =3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D
>
>
>MySQL was setup using this line for snort:
>
>=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3 D=3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3
D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D
>grant INSERT,SELECT on root.* to =3D
snort@localhost<mailto:snort@localhost>; SET PASSWORD FOR=3D20
>snort@localhost=3D3DPASSOWRD('********');
>grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to =3D
snort@localhost<mailto:snort@localhost>;=3D20
>grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;=3D20
>=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3 D=3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3
D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D
>
>This was a step by step guide I had followed to set this up. I'm=3D20
>hoping someone might be able to see what I'm missing. Thnx
>
> =3D20
>

-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java =3D
Enterprise
J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=3D3D5047&alloc_id=3D3D10808&op=3D3Dclick<ht tp:=
//ads
..=3D
osdn.com/?ad_id=3D3D5047&alloc_id=3D3D10808&op=3D3Dclick>
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net<ma...ers@lists.sourceforge.n
e=3D
t>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users<https://lists.s
o=3D
urceforge.net/lists/listinfo/snort-users>
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3D3Dsnort-users<http://www.g=
e
o=3D
crawler.com/redir-sf.php3?list=3D3Dsnort-users>

-- __--__--=20

Message: 6
From: "Patrick S. Harper" =3D
<patrick@internetsecurityguru.com<mailto:patrick@i nternetsecurityguru.co
m=3D
>>
To: "'Michael Steele'" =3D
<michaels@winsnort.com<mailto:michaels@winsnort.co m>>,
=3D
<snort-users@lists.sourceforge.net<mailto:snort-users@lists.sourceforge.
n=3D
et>>,
"'Robert Spangler'" =3D
<bms@zoominternet.net<mailto:bms@zoominternet.net> >
Subject: RE: [Snort-users] Snort and MySQL
Date: Sun, 29 Aug 2004 16:09:55 -0500

=3D20
It looks like for some reason he did not give it a password in the conf
file. The "using password: NO" is the tip off I believe. As well as =
=3D
the
other output, it should look like the following. Notice the "Database:
password is set". He does not get that, but the other error at the end
about using no password.. =3D20

What does your output line in your conf file look like?

database: compiled support for ( mysql )
database: configured to use mysql
database: user =3D3D snort
database: password is set
database: database name =3D3D snort
database: host =3D3D localhost
database: sensor name =3D3D 208.14.28.12
database: sensor id =3D3D 2
database: inconsistent cid information for sid=3D3D2
Recovering by rolling forward the cid=3D3D35585

Patrick S. Harper | CISSP RHCT MCSE
www.internetsecurityguru.com<http://www.internetsecurityguru.com/>

www.ntsug.org<http://www.ntsug.org/> - Snort Users Group

"If there is no light at the end of the tunnel, get down there and light
=3D
the
damn thing yourself!"
=3D20
-----Original Message-----
From: =3D
snort-users-admin@lists.sourceforge.net<mailto:snort-users-admin@lists.s
o=3D
urceforge.net>
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Michael =
=3D
Steele
Sent: Sunday, August 29, 2004 1:52 PM
To: =3D
snort-users@lists.sourceforge.net<ma...ers@lists.sourceforge.n
e=3D
t>
Subject: RE: [Snort-users] Snort and MySQL

Looks like you have no access to the Snort database. Go back and make =
=3D
SURE
you can access the database with the credentials that you have in the
snort.conf file on the MySQL output database line.

Kindest regards,
Michael...

WINSNORT.com Management Team Member
--=3D20
Pick up your FREE Windows or UNIX Snort installation guides =3D20
mailto:support@winsnort.com<mailto:support@winsnor t.com>
Website: http://www.winsnort.com<http://www.winsnort.com/>
Snort: Open Source Network IDS - =3D
http://www.snort.org<http://www.snort.org/>

> -----Original Message-----
> From: =3D
snort-users-admin@lists.sourceforge.net<mailto:snort-users-admin@lists.s
o=3D
urceforge.net> [mailto:snort-users-=3D20
> admin@lists.sourceforge.net<mailto:a... rceforge.net>] On =
=3D
Behalf Of Robert Spangler
> Sent: Sunday, August 29, 2004 10:35 AM
> To: =3D
snort-users@lists.sourceforge.net<ma...ers@lists.sourceforge.n
e=3D
t>
> Subject: [Snort-users] Snort and MySQL
>=3D20
> Hello,
>=3D20
> I seem to be having a problem setting up snort to use MySQL database.
>=3D20
> When I run 'snort -c /etc/snort/snort.conf' I get the following:
>=3D20
> =3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D
> Running in IDS mode
> Log directory =3D3D /var/log/snort
>=3D20
> Initializing Network Interface eth0
>=3D20
> --=3D3D=3D3D Initializing Snort =3D3D=3D3D--
> Initializing Output Plugins!
> Decoding Ethernet on interface eth0
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file /etc/snort/snort.conf
>=3D20
> ++++++++++++++++++++++++++++++++++++++++++++++++++ +
> Initializing rule chains...
> database: compiled support for ( MySQL )
> database: configured to use MySQL
> database: user =3D3D snort
> database: database name =3D3D snort
> database: host =3D3D localhost
> database: sensor name =3D3D 192.168.1.100
> ERROR: database: MySQL_error: Access denied for user: =3D
'snort@localhost'<mailto:'snort@localhost'>
> (Using
> password: NO)
> Fatal Error, Quitting..
> =3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D
>=3D20
>=3D20
> snort.conf has the following entry:
>=3D20
> =3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D
> output database: log, MySQL, user=3D3Dsnort, =
password=3D3D********=3D20
> dbname=3D3Dsnort host=3D3Dlocalhost=3D20
> =3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D
>=3D20
>=3D20
> MySQL was setup using this line for snort:
>=3D20
> =3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D
> grant INSERT,SELECT on root.* to =3D
snort@localhost<mailto:snort@localhost>; SET PASSWORD FOR=3D20
> =3D
snort@localhost=3D3DPASSOWRD('********'<mailto:sno rt@localhost=3D3DPASSOW=
RD(
'=3D
********'>);
> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to=3D20
> snort@localhost<mailto:snort@localhost>; grant =3D
CREATE,INSERT,SELECT,DELETE,UPDATE on snort.*=3D20
> to snort; =3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D
>=3D20
> This was a step by step guide I had followed to set this up. I'm=3D20
> hoping someone might be able to see what I'm missing. Thnx
>=3D20
> --
>=3D20
> Regards
> Robert
>=3D20
> Smile..... It increases your face value.
>=3D20
>=3D20
>=3D20
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java=3D20
> Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> =3D
http://ads.osdn.com/?ad_id=3D3D5047&alloc_id=3D3D10808&op=3D3Dclick<ht tp:=
//ads
..=3D
osdn.com/?ad_id=3D3D5047&alloc_id=3D3D10808&op=3D3Dclick>
> _______________________________________________
> Snort-users mailing list
> =3D
Snort-users@lists.sourceforge.net<ma...ers@lists.sourceforge.n
e=3D
t>
> Go to this URL to change user options or unsubscribe:
> =3D
https://lists.sourceforge.net/lists/listinfo/snort-users<https://lists.s
o=3D
urceforge.net/lists/listinfo/snort-users>
> Snort-users list archive:
> =3D
http://www.geocrawler.com/redir-sf.php3?list=3D3Dsnort-users<http://www.g=
e
o=3D
crawler.com/redir-sf.php3?list=3D3Dsnort-users>

-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java =3D
Enterprise
J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=3D3D5047&alloc_id=3D3D10808&op=3D3Dclick<ht tp:=
//ads
..=3D
osdn.com/?ad_id=3D3D5047&alloc_id=3D3D10808&op=3D3Dclick>
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net<ma...ers@lists.sourceforge.n
e=3D
t>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users<https://lists.s
o=3D
urceforge.net/lists/listinfo/snort-users>
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3D3Dsnort-users<http://www.g=
e
o=3D
crawler.com/redir-sf.php3?list=3D3Dsnort-users>

-- __--__--=20

Message: 7
From: Juan Fernandez =3D
<Juan.Fernandez@deltathree.com<mailto:Juan.Fernand ez@deltathree.com>>
To: =3D
"'snort-users@lists.sourceforge.net'<mailto:'snort-users@lists.sourcefor
g=3D
e.net'>"
<snort-users@lists.sourceforge.net<mailto:snort-users@lists.sourceforge.
n=3D
et>>
Date: Mon, 30 Aug 2004 02:02:19 +0300
Subject: [Snort-users] : setup postfix please help !!!!!!!!!!1

This message is in MIME format. Since your mail reader does not =3D
understand
this format, some or all of this message may not be legible.

------_=3D3D_NextPart_001_01C48E1C.3533D7EB
Content-Type: text/plain;
charset=3D3D"iso-8859-1"

=3D20
=3D20

Hi guys,=3D20

=3D20

Can someone please send to me his/heres main.cf file so I can take it as
=3D
an
example to config my postfix on mt snort sesnsors?

=3D20

I cant configure it aloe I massed up my main.cf file..

=3D20

Please help...

=3D20

All I need to configure is that the sensors will pass the mails to my
internal exchange server to my mailbox...

=3D20

Please help !!!

=3D20

Thanks !!!

------_=3D3D_NextPart_001_01C48E1C.3533D7EB
Content-Type: text/html;
charset=3D3D"iso-8859-1"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML =3D
xmlns=3D3D"http://www.w3.org/TR/REC-html40<http://www.w3.org/TR/REC-html4=
0
>=3D
" xmlns:o =3D3D=3D20
"urn:schemas-microsoft-com:office:office" xmlns:w =3D3D=3D20
"urn:schemas-microsoft-com:office:word"><HEAD>
<META HTTP-EQUIV=3D3D"Content-Type" CONTENT=3D3D"text/html; =3D
charset=3D3Diso-8859-1">

<META content=3D3D"MSHTML 6.00.2800.1458" name=3D3DGENERATOR>
<STYLE>@page Section1 {size: 595.3pt 841.9pt; margin: 1.0in 1.25in 1.0in
=3D
1.25in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; DIRECTION: rtl; FONT-FAMILY: =3D
"Times New Roman"; unicode-bidi: embed; TEXT-ALIGN: right
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; DIRECTION: rtl; FONT-FAMILY: =3D
"Times New Roman"; unicode-bidi: embed; TEXT-ALIGN: right
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; DIRECTION: rtl; FONT-FAMILY: =3D
"Times New Roman"; unicode-bidi: embed; TEXT-ALIGN: right
}
A:link {
COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.EmailStyle17 {
COLOR: windowtext; FONT-FAMILY: Arial; mso-style-type: personal-compose
}
DIV.Section1 {
page: Section1
}
</STYLE>
</HEAD>
<BODY lang=3D3DEN-US vLink=3D3Dpurple link=3D3Dblue>
<DIV> </DIV>
<DIV>
<DIV class=3D3DOutlookMessageHeader dir=3D3Dltr align=3D3Dleft></DIV></DIV>
<DIV>
<DIV class=3D3DOutlookMessageHeader dir=3D3Dltr align=3D3Dleft></DIV></DIV>
<DIV> </DIV>

<DIV class=3D3DOutlookMessageHeader dir=3D3Dltr align=3D3Dleft></DIV><SPAN=3D20
style=3D3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">Hi =3D
guys,<o:p></o:p>=3D20

<BLOCKQUOTE dir=3D3Drtl style=3D3D"MARGIN-LEFT: 0px">
<DIV class=3D3DSection1 dir=3D3Drtl>
<SPAN=3D20
style=3D3D"FONT-SIZE: 10pt; FONT-FAMILY: =3D
Arial"><o:p> </o:p>
Can =
=3D
someone please=3D20
send to me his/heres main.cf file so I can take it as an example to =
=3D
config my=3D20
postfix on mt snort sesnsors?<o:p></o:p>
<SPAN=3D20
style=3D3D"FONT-SIZE: 10pt; FONT-FAMILY: =3D
Arial"><o:p> </o:p>
I =
cant =3D
configure it=3D20
aloe I massed up my main.cf file..<o:p></o:p>
<SPAN=3D20
style=3D3D"FONT-SIZE: 10pt; FONT-FAMILY: =3D
Arial"><o:p> </o:p>
Please=3D20
help...<o:p></o:p>
<SPAN=3D20
style=3D3D"FONT-SIZE: 10pt; FONT-FAMILY: =3D
Arial"><o:p> </o:p>
All I =
=3D
need to=3D20
configure is that the sensors will pass the mails to my internal =3D
exchange=3D20
server to my mailbox...<o:p></o:p>
<SPAN=3D20
style=3D3D"FONT-SIZE: 10pt; FONT-FAMILY: =3D
Arial"><o:p> </o:p>
Please =3D
help=3D20
!!!<o:p></o:p>
<SPAN=3D20
style=3D3D"FONT-SIZE: 10pt; FONT-FAMILY: =3D
Arial"><o:p> </o:p>
Thanks=3D20
!!!<o:p></o:p></DIV></BLOCKQUOTE></BODY></HTML>

------_=3D3D_NextPart_001_01C48E1C.3533D7EB--

-- __--__--=20

Message: 8
From: "Andy" <andy@page55.com<mailto:andy@page55.com>>
To: =3D
<snort-users@lists.sourceforge.net<mailto:snort-users@lists.sourceforge.
n=3D
et>>
Date: Sun, 29 Aug 2004 18:22:48 -0500
Subject: [Snort-users] glibc dependency errors installing snort

Hi,
I'm having problems installing snort, I'm getting glibc dependency =3D
errors.
I running RedHat 7.3, trying to install snort-2.1.3-1.i386.rpm

I can't find a newer version of glibc other than 2.2.5 and really don't
=3D
know
what I'm doing anyway.

Am I having these problems because I'm running RH 7.3? Does snort =3D
2.1.3-1
run on RH 7.3?

Should I be installing a different package?

[root@tunes snort]# rpm -ivh [root@tunes snort]# rpm -ivh
snort-2.1.3-1.i386.rpm
error: failed dependencies:
libc.so.6(GLIBC_2.3) is needed by snort-2.1.3-1

totally new to this, hope you can help.

Thanks,
Andy

-- __--__--=20

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net<ma...ers@lists.sourceforge.n
e=3D
t>
https://lists.sourceforge.net/lists/listinfo/snort-users<https://lists.s
o=3D
urceforge.net/lists/listinfo/snort-users>

End of Snort-users Digest

------=3D_NextPart_000_0030_01C48E0D.6A360260
Content-Type: text/html;
charset=3D"iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3D3DContent-Type =3D
content=3D3Dtext/html;charset=3D3Diso-8859-1>
<STYLE></STYLE>

<META content=3D3D"MSHTML 6.00.2800.1458" name=3D3DGENERATOR></HEAD>
<BODY id=3D3DMailContainerBody=3D20
style=3D3D"PADDING-LEFT: 10px; FONT-WEIGHT: normal; FONT-SIZE: 10pt; =3D
COLOR: #000000; BORDER-TOP-STYLE: none; PADDING-TOP: 15px; FONT-STYLE: =
=3D
normal; FONT-FAMILY: Verdana; BORDER-RIGHT-STYLE: none; =3D
BORDER-LEFT-STYLE: none; TEXT-DECORATION: none; BORDER-BOTTOM-STYLE: =3D
none"=3D20
leftMargin=3D3D0 topMargin=3D3D0 acc_role=3D3D"text" =
CanvasTabStop=3D3D"true"=3D20
name=3D3D"Compose message area">
<DIV>
<DIV>Try this:</DIV>
<DIV> </DIV>
<DIV>mysql> Grant All On snort.* to  <A=3D20
title=3D3Dmailto:snort@localhost=3D20
href=3D3D"mailto:snort@localhost">snort@localhost</A>;</DIV>
<DIV> </DIV>
<DIV>or (if you have a password for snort user) </DIV>
<DIV> </DIV>
<DIV>mysql> Grant All On snort.* to <A =
title=3D3Dmailto:snort@localhost
=3D

href=3D3D"mailto:snort@localhost">snort@localhost</A> Identified By=3D20
'password';</DIV>
<DIV> </DIV>
<DIV>[****If you have a password for snort user, you must use Identified
=3D
By=3D20
clause]</DIV>
<DIV> Message: 1 From: "Michael Steele" <<A=3D20
title=3D3Dmailto:michaels@winsnort.com=3D20
href=3D3D"mailto:michaels@winsnort.com">michaels@w insnort.com</A>> =
T
o=3D
: <<A=3D20
title=3D3Dmailto:snort-users@lists.sourceforge.net=3D20
href=3D3D"mailto:snort-users@lists.sourceforge.net">snort-users@lists.sou=
r
c=3D
eforge.net</A>> Subject:=3D20
RE: [Snort-users] Snort and MySQL Date: Sun, 29 Aug 2004 =
11:52:02=3D20
-0700 Looks like you have no access to the Snort database. Go =3D
back and=3D20
make SURE you can access the database with the credentials that you =
=3D
have in=3D20
the snort.conf file on the MySQL output database line. Kindest
=3D

regards, Michael... WINSNORT.com Management Team Member --
=3D

 Pick up your FREE Windows or UNIX Snort installation=3D20
guides       <A=3D20
title=3D3Dmailto:support@winsnort.com=3D20
href=3D3D"mailto:support@winsnort.com">mailto:supp ort@winsnort.com</A><BR=
>
W=3D
ebsite:=3D20
<A title=3D3Dhttp://www.winsnort.com/=3D20
href=3D3D"http://www.winsnort.com">http://www.winsnort.com</A> Snort: =
=3D
Open Source=3D20
Network IDS - <A title=3D3Dhttp://www.snort.org/=3D20
href=3D3D"http://www.snort.org">http://www.snort.org</A> >=3D=
2
0
-----Original Message----- > From: <A=3D20
title=3D3Dmailto:snort-users-admin@lists.sourceforge.net=3D20
href=3D3D"mailto:snort-users-admin@lists.sourceforge.net">snort-users-adm=
i
n=3D
@lists.sourceforge.net</A>=3D20
[mailto:snort-users- > <A =3D
title=3D3Dmailto:admin@lists.sourceforge.net=3D20
href=3D3D"mailto:admin@lists.sourceforge.net">admi n@lists.sourceforge.net=
<
/=3D
A>] On=3D20
Behalf Of Robert Spangler > Sent: Sunday, August 29, 2004 10:35 =
=3D
AM >=3D20
To: <A title=3D3Dmailto:snort-users@lists.sourceforge.net=3D20
href=3D3D"mailto:snort-users@lists.sourceforge.net">snort-users@lists.sou=
r
c=3D
eforge.net</A> >=3D20
Subject: [Snort-users] Snort and MySQL > > Hello, > =
=3D
 >=3D20
I seem to be having a problem setting up snort to use MySQL =3D
database. >=3D20
 > When I run 'snort -c /etc/snort/snort.conf'  I get =
the=3D20
following: > >=3D20
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D > Running in IDS=3D20
mode > Log directory =3D3D /var/log/snort > > =3D
Initializing=3D20
Network Interface eth0 >=3D20
 >          --=3D3D=3D3D =
=3D
Initializing Snort=3D20
=3D3D=3D3D-- > Initializing Output Plugins! > Decoding =
Ethernet
=3D
on interface=3D20
eth0 > Initializing Preprocessors! > Initializing =3D
Plug-ins! >=3D20
Parsing Rules file /etc/snort/snort.conf > >=3D20
++++++++++++++++++++++++++++++++++++++++++++++++++ + > Initializing
=3D
rule=3D20
chains... > database: compiled support for ( MySQL ) > =3D
database:=3D20
configured to use MySQL >=3D20
database:      &nbsp ;   user =
=3D3D
=3D

snort > database: database name =3D3D snort >=3D20
database:      &nbsp ;   host =
=3D3D
=3D

localhost > database:   sensor name =3D3D =3D
192.168.1.100 >=3D20
ERROR: database: MySQL_error: Access denied for user: <A=3D20
title=3D3D"mailto:'snort@localhost'"=3D20
href=3D3D"mailto:'snort@localhost'">'snort@localho st'</A> > =3D
(Using >=3D20
password: NO) > Fatal Error, Quitting.. >=3D20
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D > > >=3D20
snort.conf has the following entry: > >=3D20
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D > output database:=3D20
log, MySQL, user=3D3Dsnort, password=3D3D******** =
dbname=3D3Dsnort >=3D20
host=3D3Dlocalhost >=3D20
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D > > >=3D20
MySQL was setup using this line for snort: > >=3D20
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D > grant INSERT,SELECT=3D20
on root.* to <A title=3D3Dmailto:snort@localhost=3D20
href=3D3D"mailto:snort@localhost">snort@localhost</A>; > SET =3D
PASSWORD FOR <A=3D20
title=3D3D"mailto:snort@localhost=3D3DPASSOWRD('** ******'"=3D20
href=3D3D"mailto:snort@localhost=3D3DPASSOWRD('*** *****'">snort@localhost=
=3D3D
P=3D
ASSOWRD('********'</A>); >=3D20
grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to <A=3D20
title=3D3Dmailto:snort@localhost=3D20
href=3D3D"mailto:snort@localhost">snort@localhost</A>; > =
grant=3D20
CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort; >=3D20
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D > > This was a=3D20
step by step guide I had followed to set this up.  I'm =3D
hoping >=3D20
someone might be able to see what I'm missing.  Thnx > =3D
 >=3D20
-- > > Regards > Robert > > =3D
Smile.....  It=3D20
increases your face value. > > > >=3D20
------------------------------------------------------- > This =3D
SF.Net=3D20
email is sponsored by BEA Weblogic Workshop > FREE Java Enterprise
=3D
J2EE=3D20
developer tools! > Get your free copy of BEA WebLogic Workshop 8.1
=3D

today. > <A=3D20
title=3D3Dhttp://ads.osdn.com/?ad_id=3D3D5047&alloc_id=3D3D10808&=
op=3D3D
c=3D
lick=3D20
href=3D3D"http://ads.osdn.com/?ad_id=3D3D5047&alloc_id=3D3D10808&=
op=3D3D
c=3D
lick">http://ads.osdn.com/?ad_id=3D3D5047&...808&op=3D=
3Dcl
i=3D
ck</A> >=3D20
_______________________________________________ > Snort-users =3D
mailing=3D20
list > <A title=3D3Dmailto:Snort-users@lists.sourceforge.net=3D20
href=3D3D"mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sou=
r
c=3D
eforge.net</A> >=3D20
Go to this URL to change user options or unsubscribe: > <A=3D20
title=3D3Dhttps://lists.sourceforge.net/lists/listinfo/snort-users=3D20
href=3D3D"https://lists.sourceforge.net/lists/listinfo/snort-users">https=
:
/=3D
/lists.sourceforge.net/lists/listinfo/snort-users</A> >=3D20
Snort-users list archive: > <A=3D20
title=3D3Dhttp://www.geocrawler.com/redir-sf.php3?list=3D3Dsnort-users=3D=
20
href=3D3D"http://www.geocrawler.com/redir-sf.php3?list=3D3Dsnort-users">h=
ttp
:=3D
//www.geocrawler.com/redir-sf.php3?list=3D3Dsnort-users</A> <B=
R
>=3D
 -- __--__-- Message:=3D20
2 From: "pfeito" <<A title=3D3Dmailto:pfeito@netcabo.pt=3D20
href=3D3D"mailto:pfeito@netcabo.pt">pfeito@netcabo .pt</A>> To: =3D
"'Keith W.=3D20
McCammon'" <<A title=3D3Dmailto:mccammon@gmail.com=3D20
href=3D3D"mailto:mccammon@gmail.com">mccammon@gmai l.com</A>>, <<=
A
=3D

title=3D3Dmailto:snort-users@lists.sourceforge.net=3D20
href=3D3D"mailto:snort-users@lists.sourceforge.net">snort-users@lists.sou=
r
c=3D
eforge.net</A>>, <<A=3D20
title=3D3Dmailto:hackerwacker@cybermesa.com=3D20
href=3D3D"mailto:hackerwacker@cybermesa.com">hacke rwacker@cybermesa.com</=
A
>=3D
> Subject:=3D20
RE: [Snort-users] Slow down TCP connections Date: Sun, 29 Aug 2004 =
=3D
20:13:54=3D20
+0100 I don't really have a final purpose, I'm just digging out =
=3D
what=3D20
proactive stuff there is out there for Snort. I don't need it, I
=3D
just=3D20
thought of it, as an example of proactive functionality and wanted to
=3D
find=3D20
out if there is such thing. I guess it is kind of stupid.... although
=3D
it=3D20
could be useful in an snort+honeypot scenario. Don't really put much
=3D
though=3D20
in it. > Why are you seeking and IDS to do traffic queueing =
=3D
? No.=3D20
That would be like trying to cut a steak with a spoon :P
! >=3D20
-----Original Message----- > From: <A=3D20
title=3D3Dmailto:snort-users-admin@lists.sourceforge.net=3D20
href=3D3D"mailto:snort-users-admin@lists.sourceforge.net">snort-users-adm=
i
n=3D
@lists.sourceforge.net</A>=3D20
[mailto:snort-users- > <A =3D
title=3D3Dmailto:admin@lists.sourceforge.net=3D20
href=3D3D"mailto:admin@lists.sourceforge.net">admi n@lists.sourceforge.net=
<
/=3D
A>] On=3D20
Behalf Of Keith W. McCammon > Sent: domingo, 29 de Agosto de
2004=3D20
18:14 > To: <A =
title=3D3Dmailto:snort-users@lists.sourceforge.net=3D20
href=3D3D"mailto:snort-users@lists.sourceforge.net">snort-users@lists.sou=
r
c=3D
eforge.net</A> >=3D20
Subject: Re: [Snort-users] Slow down TCP connections > > =
=3D
> Right=3D20
know, I've just compiled and installed snort 2.2.0 with =3D
flexresp2 > >=3D20
support. I'm about to test flexresp2 capabilities, but It seems to =3D
have >=3D20
no > > support for slowing down TCP connections (i.e. for =3D
slowing down=3D20
TCP > Scans > > for instance...) > > Why =3D
would Snort=3D20
want to "slow down" a TCP scan?  Snort will catch it, > and =
=3D
under=3D20
certain circumstances, flexresp2 can reset those > =3D
connections. =3D20
That's pretty much the extent of Snort's involvement. > > =
=3D
> Do=3D20
you know any plug-in that allows Snort to slow down TCP =3D
connections >=3D20
speed > > (i.e. resize TCP window size) ? > > =3D
No. =3D20
What would you accomplish by doing this?  Either block the >
=3D
traffic=3D20
or don't.  Slowing it down won't really get you anywhere > =
=3D
(it'll=3D20
just take the attacker longer to do the same thing). > > =
=3D
 >=3D20
------------------------------------------------------- > This =3D
SF.Net=3D20
email is sponsored by BEA Weblogic Workshop > FREE Java Enterprise
=3D
J2EE=3D20
developer tools! > Get your free copy of BEA WebLogic Workshop 8.1
=3D

today. > <A=3D20
title=3D3Dhttp://ads.osdn.com/?ad_id=3D3D5047&alloc_id=3D3D10808&=
op=3D3D
c=3D
lick=3D20
href=3D3D"http://ads.osdn.com/?ad_id=3D3D5047&alloc_id=3D3D10808&=
op=3D3D
c=3D
lick">http://ads.osdn.com/?ad_id=3D3D5047&...808&op=3D=
3Dcl
i=3D
ck</A> >=3D20
_______________________________________________ > Snort-users =3D
mailing=3D20
list > <A title=3D3Dmailto:Snort-users@lists.sourceforge.net=3D20
href=3D3D"mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sou=
r
c=3D
eforge.net</A> >=3D20
Go to this URL to change user options or unsubscribe: > <A=3D20
title=3D3Dhttps://lists.sourceforge.net/lists/listinfo/snort-users=3D20
href=3D3D"https://lists.sourceforge.net/lists/listinfo/snort-users">https=
:
/=3D
/lists.sourceforge.net/lists/listinfo/snort-users</A> >=3D20
Snort-users list archive: > <A=3D20
title=3D3Dhttp://www.geocrawler.com/redir-sf.php3?list=3D3Dsnort-users=3D=
20
href=3D3D"http://www.geocrawler.com/redir-sf.php3?list=3D3Dsnort-users">h=
ttp
:=3D
//www.geocrawler.com/redir-sf.php3?list=3D3Dsnort-users</A> <B=
R
>=3D
 -- __--__-- Message:=3D20
3 From: "Jim Hendrick" <<A =
title=3D3Dmailto:jrhendri@maine.rr.com=3D20
href=3D3D"mailto:jrhendri@maine.rr.com">jrhendri@m aine.rr.com</A>> =
T
o=3D
:=3D20
"'pfeito'" <<A title=3D3Dmailto:pfeito@netcabo.pt=3D20
href=3D3D"mailto:pfeito@netcabo.pt">pfeito@netcabo .pt</A>>, =
<<A=3D20
title=3D3Dmailto:snort-users@lists.sourceforge.net=3D20
href=3D3D"mailto:snort-users@lists.sourceforge.net">snort-users@lists.sou=
r
c=3D
eforge.net</A>> Subject:=3D20
RE: [Snort-users] Slow down TCP connections Date: Sun, 29 Aug 2004 =
=3D
16:22:28=3D20
-0400 If you are looking to slow down scans, try a tarpit
(e.g.=3D20
labrea) flexrsp is really designed to reset TCP connections to halt =
=3D
an=3D20
attack. -----Original Message----- From: <A=3D20
title=3D3Dmailto:snort-users-admin@lists.sourceforge.net=3D20
href=3D3D"mailto:snort-users-admin@lists.sourceforge.net">snort-users-adm=
i
n=3D
@lists.sourceforge.net</A> [mailto:snort-users-admin@lists.sourceforg
e=3D
..net]=3D20
On Behalf Of pfeito Sent: Sunday, August 29, 2004 12:57 PM To:
<A=3D20
title=3D3Dmailto:snort-users@lists.sourceforge.net=3D20
href=3D3D"mailto:snort-users@lists.sourceforge.net">snort-users@lists.sou=
r
c=3D
eforge.net</A> Subject:=3D20
[Snort-users] Slow down TCP connections Hi Guys, I'm =
=3D
searching=3D20
for pro-active plug-ins for Snort.=3D3D20 Right know, I've just =
=3D
compiled and=3D20
installed snort 2.2.0 with flexresp2 support. I'm about to test =3D
flexresp2=3D20
capabilities, but It seems to have =3D3D no support for slowing =
down
=3D
TCP=3D20
connections (i.e. for slowing down TCP =3D3D Scans for =3D
instance...) Do=3D20
you know any plug-in that allows Snort to slow down TCP connections=3D20
=3D3D speed (i.e. resize TCP window size)=3D20
? Thanks, -pfeito -------------------------
-=3D
----------------------------- This=3D20
SF.Net email is sponsored by BEA Weblogic Workshop FREE Java =3D
Enterprise J2EE=3D20
developer tools! Get your free copy of BEA WebLogic Workshop 8.1 =3D
today. <A=3D20
title=3D3Dhttp://ads.osdn.com/?ad_id=3D3D3D5047&alloc_id=3D3D3D10808&=
amp;o
p=3D
=3D3D3Dclick=3D20
href=3D3D"http://ads.osdn.com/?ad_id=3D3D3D5047&alloc_id=3D3D3D10808&=
amp;o
p=3D
=3D3D3Dclick">http://ads.osdn.com/?ad_id=3D3D3D504...c_id=3D3D3D10=
808&a
m=3D
p;op=3D3D3Dclick</A> ____________________________________________ ___<B=
R
>=3D
Snort-users=3D20
mailing list <A =
title=3D3Dmailto:Snort-users@lists.sourceforge.net=3D20
href=3D3D"mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sou=
r
c=3D
eforge.net</A> Go=3D20
to this URL to change user options or unsubscribe: <A=3D20
title=3D3Dhttps://lists.sourceforge.net/lists/listinfo/snort-users=3D20
href=3D3D"https://lists.sourceforge.net/lists/listinfo/snort-users">https=
:
/=3D
/lists.sourceforge.net/lists/listinfo/snort-users</A> Snort-users=3D20=

list archive: <A=3D20
title=3D3Dhttp://www.geocrawler.com/redir-sf.php3?list=3D3D3Dsnort-users=3D=
20
href=3D3D"http://www.geocrawler.com/redir-sf.php3?list=3D3D3Dsnort-users"=
>ht
t=3D
p://www.geocrawler.com/redir-sf.php3?list=3D3D3Dsnort-users</A> <B=
R
>=3D
 -- __--__-- Message:=3D20
4 From: "pfeito" <<A title=3D3Dmailto:pfeito@netcabo.pt=3D20
href=3D3D"mailto:pfeito@netcabo.pt">pfeito@netcabo .pt</A>> To: =
"'Jim
=3D

Hendrick'" <<A title=3D3Dmailto:jrhendri@maine.rr.com=3D20
href=3D3D"mailto:jrhendri@maine.rr.com">jrhendri@m aine.rr.com</A>>,<BR=
>
&=3D
lt;<A=3D20
title=3D3Dmailto:snort-users@lists.sourceforge.net=3D20
href=3D3D"mailto:snort-users@lists.sourceforge.net">snort-users@lists.sou=
r
c=3D
eforge.net</A>> Subject:=3D20
RE: [Snort-users] Slow down TCP connections Date: Sun, 29 Aug 2004 =
=3D
21:36:32=3D20
+0100 That's a cool thing to play around. But right now I'm only
=3D
studying=3D20
plugins or modules for Snort. The slow down functionality was only =
=3D
one I=3D20
example I thought, but it seems not to make sense in a IDS. I'm =3D
concentrating=3D20
right now in developing one or two demos with=3D20
flexresp. Thanks, -pfeito > -----Original=3D20
Message----- > From: Jim Hendrick =3D
[mailto:jrhendri@maine.rr.com] >=3D20
Sent: domingo, 29 de Agosto de 2004 21:22 > To: 'pfeito'; <A=3D20
title=3D3Dmailto:snort-users@lists.sourceforge.net=3D20
href=3D3D"mailto:snort-users@lists.sourceforge.net">snort-users@lists.sou=
r
c=3D
eforge.net</A> >=3D20
Subject: RE: [Snort-users] Slow down TCP connections > > If
=3D
you are=3D20
looking to slow down scans, try a tarpit (e.g. labrea) > flexrsp =
=3D
is really=3D20
designed to reset TCP connections to halt an attack. > =
 >=3D20
-----Original Message----- > From: <A=3D20
title=3D3Dmailto:snort-users-admin@lists.sourceforge.net=3D20
href=3D3D"mailto:snort-users-admin@lists.sourceforge.net">snort-users-adm=
i
n=3D
@lists.sourceforge.net</A> >=3D20
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of =3D
pfeito >=3D20
Sent: Sunday, August 29, 2004 12:57 PM > To: <A=3D20
title=3D3Dmailto:snort-users@lists.sourceforge.net=3D20
href=3D3D"mailto:snort-users@lists.sourceforge.net">snort-users@lists.sou=
r
c=3D
eforge.net</A> >=3D20
Subject: [Snort-users] Slow down TCP connections > > =3D
 > Hi=3D20
Guys, > > I'm searching for pro-active plug-ins for =3D
Snort. >=3D20
 > Right know, I've just compiled and installed snort 2.2.0
with=3D20
flexresp2 > support. I'm about to test flexresp2 capabilities, but
=3D
It=3D20
seems to have no > support for slowing down TCP connections (i.e.
=3D
for=3D20
slowing down TCP Scans > for instance...) > > Do you
=3D
know any=3D20
plug-in that allows Snort to slow down TCP connections > =3D
speed >=3D20
(i.e. resize TCP window size) ? > > Thanks, > =3D
-pfeito >=3D20
 > > > >=3D20
------------------------------------------------------- > This =3D
SF.Net=3D20
email is sponsored by BEA Weblogic Workshop > FREE Java Enterprise
=3D
J2EE=3D20
developer tools! > Get your free copy of BEA WebLogic Workshop 8.1
=3D

today. > <A=3D20
title=3D3Dhttp://ads.osdn.com/?ad_id=3D3D5047&alloc_id=3D3D10808&=
op=3D3D
c=3D
lick=3D20
href=3D3D"http://ads.osdn.com/?ad_id=3D3D5047&alloc_id=3D3D10808&=
op=3D3D
c=3D
lick">http://ads.osdn.com/?ad_id=3D3D5047&...808&op=3D=
3Dcl
i=3D
ck</A> >=3D20
_______________________________________________ > Snort-users =3D
mailing=3D20
list > <A title=3D3Dmailto:Snort-users@lists.sourceforge.net=3D20
href=3D3D"mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sou=
r
c=3D
eforge.net</A> >=3D20
Go to this URL to change user options or unsubscribe: > <A=3D20
title=3D3Dhttps://lists.sourceforge.net/lists/listinfo/snort-users=3D20
href=3D3D"https://lists.sourceforge.net/lists/listinfo/snort-users">https=
:
/=3D
/lists.sourceforge.net/lists/listinfo/snort-users</A> >=3D20
Snort-users list archive: > <A=3D20
title=3D3Dhttp://www.geocrawler.com/redir-sf.php3?list=3D3Dsnort-users=3D=
20
href=3D3D"http://www.geocrawler.com/redir-sf.php3?list=3D3Dsnort-users">h=
ttp
:=3D
//www.geocrawler.com/redir-sf.php3?list=3D3Dsnort-users</A> >=3D20
 -- __--__-- Message: 5 From: "Patrick
=3D
S.=3D20
Harper" <<A title=3D3Dmailto:patrick@internetsecurityguru.com= 3D20
href=3D3D"mailto:patrick@internetsecurityguru.com" >patrick@internetsecuri=
t
y=3D
guru.com</A>> To:=3D20
"'Miikka Hattberg'" <<A title=3D3Dmailto:miikka@miikkah.org=3D20
href=3D3D"mailto:miikka@miikkah.org">miikka@miikka h.org</A>>, &nbsp=
;
&=3D
nbsp;=3D20
<<A title=3D3Dmailto:snort-users@lists.sourceforge.net=3D20
href=3D3D"mailto:snort-users@lists.sourceforge.net">snort-users@lists.sou=
r
c=3D
eforge.net</A>> Subject:=3D20
RE: [Snort-users] Snort and MySQL Date: Sun, 29 Aug 2004 =
16:03:54=3D20
-0500 Not if you have your conf file set up right.  The =3D
output=3D20
database line has that info.  Patrick S. Harper
=3D
| CISSP=3D20
RHCT MCSE <A title=3D3Dhttp://www.internetsecurityguru.com/=3D20
href=3D3D"http://www.internetsecurityguru.com">www.internetsecurityguru.c=
o
m=3D
</A> <A=3D20
title=3D3Dhttp://www.ntsug.org/ =3D
href=3D3D"http://www.ntsug.org">www.ntsug.org</A> -=3D20
Snort Users Group "If there is no light at the end of the tunnel,
=3D
get=3D20
down there and light the damn thing =3D
yourself!"   -----Original=3D20
Message----- From: <A =3D
title=3D3Dmailto:snort-users-admin@lists.sourceforge.net=3D20
href=3D3D"mailto:snort-users-admin@lists.sourceforge.net">snort-users-adm=
i
n=3D
@lists.sourceforge.net</A> [mailto:snort-users-admin@lists.sourceforg
e=3D
..net]=3D20
On Behalf Of Miikka Hattberg Sent: Sunday, August 29, 2004 1:49 =
=3D
PM To:=3D20
<A title=3D3Dmailto:snort-users@lists.sourceforge.net=3D20
href=3D3D"mailto:snort-users@lists.sourceforge.net">snort-users@lists.sou=
r
c=3D
eforge.net</A> Subject:=3D20
Re: [Snort-users] Snort and MySQL I might be totally off, but
=3D

shouldn't you specify the MySQL username in the command whe you start
=3D

snort. like ' snort -u snort -c /etc/snort/snort.conf=3D20
' m. Robert Spangler =3D
wrote: >Hello, > >I=3D20
seem to be having a problem setting up snort to use MySQL=3D20
database. > >When I run 'snort -c =3D
/etc/snort/snort.conf'  I get=3D20
the=3D20
following: > >=3D3D=3D3D=3D3D=3D3D=3D3 D=3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D >Running=3D20
in IDS mode >Log directory =3D3D =3D
/var/log/snort > >Initializing=3D20
Network Interface =3D
eth0 > >        =3D20
--=3D3D=3D3D Initializing Snort =3D3D=3D3D-- >Initializing Output =
=3D
Plugins! >Decoding=3D20
Ethernet on interface eth0 >Initializing=3D20
Preprocessors! >Initializing Plug-ins! >Parsing Rules
file=3D20
/etc/snort/snort.conf > >++++++++++++++++++++++++ +++++++++++
+=3D
+++++++++++++++ >Initializing=3D20
rule chains... >database: compiled support for ( MySQL =3D
) >database:=3D20
configured to use=3D20
MySQL >database:    &nbs p;   &n
b=3D
sp;=3D20
user =3D3D snort >database: database name =3D3D=3D20
snort >database:    &nbs p;   &n
b=3D
sp;=3D20
host =3D3D localhost >database:   sensor name =3D3D=3D20
192.168.1.100 >ERROR: database: MySQL_error: Access denied for =3D
user: <A=3D20
title=3D3D"mailto:'snort@localhost'"=3D20
href=3D3D"mailto:'snort@localhost'">'snort@localho st'</A>=3D20
 >(Using >password: NO) >Fatal Error,=3D20
Quitting.. >=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3 D3D=3D3D=3D3D=3D3D=3D3D=
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D > &gt ; >snort.conf=3D2=
0
has the following=3D20
entry: > >=3D3D=3D3D=3D3D=3D3D=3D3D=3D 3D=3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3
D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D & gt;output=3D20
database: log, MySQL, user=3D3Dsnort, password=3D3D********
dbname=3D3Dsnort=3D20
 >host=3D3Dlocalhost=3D20
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D > > >MySQL=3D20
was setup using this line for=3D20
snort: > >=3D3D=3D3D=3D3D=3D3D=3D3D=3D 3D=3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3
D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D & gt;grant=3D20
INSERT,SELECT on root.* to <A title=3D3Dmailto:snort@localhost=3D20
href=3D3D"mailto:snort@localhost">snort@localhost</A>; SET PASSWORD =
FOR=3D20
 >snort@localhost=3D3DPASSOWRD('********'); >grant=3D20
CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to <A =3D
title=3D3Dmailto:snort@localhost=3D20
href=3D3D"mailto:snort@localhost">snort@localhost</A>; =
 >grant=3D20
CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;=3D20
 >=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3 D3D=3D3D=3D3D=3D3D=3D3D=
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D =3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D=3D3D=3D3D > >This=3D20
was a step by step guide I had followed to set this up.  I'm =3D
 >hoping=3D20
someone might be able to see what I'm missing.  =3D
Thnx > > =3D20
 > ------------------------------------------------
-=3D
------ This=3D20
SF.Net email is sponsored by BEA Weblogic Workshop FREE Java =3D
Enterprise J2EE=3D20
developer tools! Get your free copy of BEA WebLogic Workshop 8.1 =3D
today. <A=3D20
title=3D3Dhttp://ads.osdn.com/?ad_id=3D3D5047&alloc_id=3D3D10808&=
op=3D3D
c=3D
lick=3D20
href=3D3D"http://ads.osdn.com/?ad_id=3D3D5047&alloc_id=3D3D10808&=
op=3D3D
c=3D
lick">http://ads.osdn.com/?ad_id=3D3D5047&...808&op=3D=
3Dcl
i=3D
ck</A> ____________________________________________ ___ Snort-users
=3D

mailing list <A =
title=3D3Dmailto:Snort-users@lists.sourceforge.net=3D20
href=3D3D"mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sou=
r
c=3D
eforge.net</A> Go=3D20
to this URL to change user options or unsubscribe: <A=3D20
title=3D3Dhttps://lists.sourceforge.net/lists/listinfo/snort-users=3D20
href=3D3D"https://lists.sourceforge.net/lists/listinfo/snort-users">https=
:
/=3D
/lists.sourceforge.net/lists/listinfo/snort-users</A> Snort-users=3D20=

list archive: <A=3D20
title=3D3Dhttp://www.geocrawler.com/redir-sf.php3?list=3D3Dsnort-users=3D=
20
href=3D3D"http://www.geocrawler.com/redir-sf.php3?list=3D3Dsnort-users">h=
ttp
:=3D
//www.geocrawler.com/redir-sf.php3?list=3D3Dsnort-users</A> <B=
R
>=3D
-- __--__-- Message:=3D20
6 From: "Patrick S. Harper" <<A=3D20
title=3D3Dmailto:patrick@internetsecurityguru.com= 3D20
href=3D3D"mailto:patrick@internetsecurityguru.com" >patrick@internetsecuri=
t
y=3D
guru.com</A>> To:=3D20
"'Michael Steele'" <<A title=3D3Dmailto:michaels@winsnort.com=3D20
href=3D3D"mailto:michaels@winsnort.com">michaels@w insnort.com</A>>,<BR=
>
&=3D
nbsp; =3D20
<<A title=3D3Dmailto:snort-users@lists.sourceforge.net=3D20
href=3D3D"mailto:snort-users@lists.sourceforge.net">snort-users@lists.sou=
r
c=3D
eforge.net</A>>,   =3D20
"'Robert Spangler'" <<A title=3D3Dmailto:bms@zoominternet.net=3D20
href=3D3D"mailto:bms@zoominternet.net">bms@zoomint ernet.net</A>> Su=
b
j=3D
ect: RE:=3D20
[Snort-users] Snort and MySQL Date: Sun, 29 Aug 2004 16:09:55=3D20
-0500   It looks like for some reason he did not give it
=3D
a=3D20
password in the conf file.  The "using password: NO" is the tip
=3D
off I=3D20
believe.  As well as the other output, it should look like
the=3D20
following.  Notice the "Database: password is set".  He =3D
does not=3D20
get that, but the other error at the end about using no =3D
password.. =3D20
 What does your output line in your conf file look=3D20
like? database: compiled support for ( mysql
) database:=3D20
configured to use=3D20
mysql database:     &n bsp;   
=3D
user =3D3D=3D20
snort database: password is set database: database name =3D3D=3D20
snort database:     &n bsp;   
=3D
host =3D3D=3D20
localhost database:   sensor name =3D3D=3D20
208.14.28.12 database:     sensor id =3D3D =3D
2 database:=3D20
inconsistent cid information for=3D20
sid=3D3D2       & nbsp;   =3D
Recovering by=3D20
rolling forward the cid=3D3D35585 Patrick S. Harper | =
CISSP
=3D
RHCT=3D20
MCSE <A title=3D3Dhttp://www.internetsecurityguru.com/=3D20
href=3D3D"http://www.internetsecurityguru.com">www.internetsecurityguru.c=
o
m=3D
</A> <A=3D20
title=3D3Dhttp://www.ntsug.org/ =3D
href=3D3D"http://www.ntsug.org">www.ntsug.org</A> -=3D20
Snort Users Group "If there is no light at the end of the tunnel,
=3D
get=3D20
down there and light the damn thing =3D
yourself!"   -----Original=3D20
Message----- From: <A =3D
title=3D3Dmailto:snort-users-admin@lists.sourceforge.net=3D20
href=3D3D"mailto:snort-users-admin@lists.sourceforge.net">snort-users-adm=
i
n=3D
@lists.sourceforge.net</A> [mailto:snort-users-admin@lists.sourceforg
e=3D
..net]=3D20
On Behalf Of Michael Steele Sent: Sunday, August 29, 2004 1:52 =3D
PM To: <A=3D20
title=3D3Dmailto:snort-users@lists.sourceforge.net=3D20
href=3D3D"mailto:snort-users@lists.sourceforge.net">snort-users@lists.sou=
r
c=3D
eforge.net</A> Subject:=3D20
RE: [Snort-users] Snort and MySQL Looks like you have no access =
=3D
to the=3D20
Snort database. Go back and make SURE you can access the database =3D
with the=3D20
credentials that you have in the snort.conf file on the MySQL output
=3D
database=3D20
line. Kindest regards, Michael... WINSNORT.com =3D
Management Team=3D20
Member -- Pick up your FREE Windows or UNIX Snort =
installation=3D20
guides       <A=3D20
title=3D3Dmailto:support@winsnort.com=3D20
href=3D3D"mailto:support@winsnort.com">mailto:supp ort@winsnort.com</A><BR=
>
W=3D
ebsite:=3