Snort mailing list archives
Re: Access denied for user: '@192.168.0.1' -SNORT-
From: "mike Hughes" <mikehughes013 () hotmail com>
Date: Tue, 11 Feb 2003 12:21:50 -0800
Whats uP..Alright this is where i am right now....I ran this command on my linux machine:
snort-mysql+flexresp -v -c /etc/snort/snort.conf I get NO error messages: here is the output: Initializing Output Plugins! Log directory = /var/log/snort Initializing Network Interface eth0 --== Initializing Snort ==-- Decoding Ethernet on interface eth0 Parsing Rules file /etc/snort/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... Initializing Preprocessors! Initializing Plug-ins! http_decode arguments: Unicode decoding IIS alternate Unicode decoding IIS double encoding vuln Flip backslash to slash Include additional whitespace separators Ports to decode http on: 80 rpc_decode arguments: Ports to decode RPC on: 111 32771 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 No arguments to stream4_reassemble, setting defaults: Reassemble client: ACTIVE Reassemble server: INACTIVE Reassemble ports: 21 23 25 53 80 143 110 111 513 Reassembly alerts: ACTIVE Reassembly method: FAVOR_OLD Conversation Config: KeepStats: 0 Conv Count: 32000 Timeout : 60 Alert Odd?: 0 Allowed IP Protocols: All Portscan2 config: log: /var/log/snort/scan.log scanners_max: 3200 targets_max: 5000 target_limit: 5 port_limit: 20 timeout: 60 No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 telnet_decode arguments: Ports to decode telnet on: 21 23 25 119ERROR spp_arpspoof /etc/snort/snort.conf(40) => Cannot initialize arpspoof_detect_host without arpspoof
database: compiled support for ( mysql ) database: configured to use mysql database: database name = snort database: user = sensor1 database: host = 192.168.0.69 database: port = 3306 database: sensor name = Sensor1 database: detail level = full database: sensor id = 1 database: schema version = 106 database: using the "log" facility 1225 Snort rules read... 1225 Option Chains linked into 124 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: --== Initialization Complete ==-- -*> Snort! <*- Version 1.9.0 (Build 209) By Martin Roesch (roesch () sourcefire com, www.snort.org) =============================================================================== Snort analyzed 3 out of 3 packets, dropping 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 0 (0.000%) ALERTS: 0 UDP: 0 (0.000%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0 ARP: 3 (100.000%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) =============================================================================== Wireless Stats: Breakdown by type: Management Packets: 0 (0.000%) Control Packets: 0 (0.000%) Data Packets: 0 (0.000%) =============================================================================== Fragmentation Stats: Fragmented IP Packets: 0 (0.000%) Fragment Trackers: 0 Rebuilt IP Packets: 0 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 0 Frag2 memory faults: 0 =============================================================================== TCP Stream Reassembly Stats: TCP Packets Used: 0 (0.000%) Stream Trackers: 0 Stream flushes: 0 Segments used: 0 Stream4 Memory Faults: 0 =============================================================================== ->activation->dynamic->alert->pass->log 02/11-12:17:55.633645 ARP who-has 152.178.7.78 tell 152.178.0.254 02/11-12:17:58.850208 ARP who-has 152.178.7.78 tell 152.178.0.254 02/11-12:18:01.941099 ARP who-has 152.178.36.185 tell 152.178.0.254 ------>And then it keeps logging traffic to my screenNow how can i test it is going in my database on my windows machine what are some command i can run on mysql on my windows machine(192.168.0.69)
Here is my /etc/snort/snort.conf file: #-------------------------------------------------- # http://www.activeworx.com Snort 1.9.0 Ruleset # IDS Policy Manager Version: 1.3 Build(40) # Current Database Updated -- Feb 10, 2003 2:08 AM #-------------------------------------------------- # ## Variables ## --------- var HOME_NET [192.168.0.0/24] #var HOME_NET $eth0_ADDRESS #var HOME_NET [10.1.1.0/24,192.168.1.0/24] #var HOME_NET any var EXTERNAL_NET any var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS [192.168.0.1/24] var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET #var HTTP_PORTS 8081 var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH /etc/snort # ## Preprocessor Support ## --------------------preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771 preprocessor stream4: detect_scans, disable_evasion_alerts preprocessor stream4_reassemble #preprocessor portscan: $HOME_NET 4 3 portscan.log #preprocessor portscan-ignorehosts: 0.0.0.0preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 32000 preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 5, port_limit 20, timeout 60
preprocessor frag2 preprocessor telnet_decode #preprocessor arpspoof preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 # # ## Output Modules ## --------------output database: log, mysql, dbname=snort user=sensor1 host=192.168.0.69 port=3306 sensor_name=Sensor1 detail=full
#output log_tcpdump: tcpdump.log #output xml: Log, file=/var/log/snortxml #output log_unified: filename snort.log, limit 128 # #output alert_syslog: LOG_AUTH LOG_ALERT #output alert_unified: filename snort.alert, limit 128#output trap_snmp: alert, 7, inform -v 3 -p 999 -l authPriv -u snortUser -x DES -X "" -a SHA -A "" myTrapListener
# ## Custom Rules ## ------------ #ruletype suspicious #{ # type log # output log_tcpdump: suspicious.log #} #ruletype redalert #{ # type alert # output alert_syslog: LOG_AUTH LOG_ALERT # output database: log, mysql, user=snort dbname=snort host=localhost #} # ## Custom Lines ## ------------ # output database: alert, postgresql, user=snort dbname=snort # output database: log, unixodbc, user=snort dbname=snort # output database: log, mssql, dbname=snort user=snort password=test # ## Include Files ## ------------- include classification.config # include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop3.rules include $RULE_PATH/pop2.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules #include $RULE_PATH/web-attacks.rules #include $RULE_PATH/backdoor.rules #include $RULE_PATH/shellcode.rules #include $RULE_PATH/policy.rules #include $RULE_PATH/porn.rules #include $RULE_PATH/info.rules #include $RULE_PATH/icmp-info.rules #include $RULE_PATH/virus.rules #include $RULE_PATH/chat.rules #include $RULE_PATH/multimedia.rules #include $RULE_PATH/p2p.rules include $RULE_PATH/experimental.rules include $RULE_PATH/local.rules And just soo you know i have followed the directions from: http://www.sans.org/rr/intrusion/practical_guide.phpAnd i have set everything up like it said but its not logging to my WINDOWS MYSQL database how can i test to see whats wrong and how can i test and makesure its really not logging on the database is there COMMANDS i can run on MYSQL(windows) I can post any other info you may need.
Thanks Guys! _________________________________________________________________MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Access denied for user: '@192.168.0.1' -SNORT-, (continued)
- RE: Access denied for user: '@192.168.0.1' -SNORT- Michael Steele (Feb 10)
- ACID - Which Database? Yaakov Yehudi (Feb 11)
- Re: ACID - Which Database? Ken Gunderson (Feb 11)
- Re: ACID - Which Database? Paul B. Poh (Feb 11)
- Re: ACID - Which Database? Yaakov Yehudi (Feb 12)
- RE: Access denied for user: '@192.168.0.1' -SNORT- Kenneth G. Arnold (Feb 11)
- Re: RE: Access denied for user: '@192.168.0.1' -SNORT- Erek Adams (Feb 11)
- RE: Access denied for user: '@192.168.0.1' -SNORT- Erek Adams (Feb 12)