Snort mailing list archives
RE: MYSQL 4.0 root login attempt
From: "David Naylor" <DNaylor () TEXASTRUSTCU ORG>
Date: Wed, 17 Aug 2005 14:59:51 -0500
It looks like the MySQL server is requiring re-authentication every morning around 7. Not sure why this is happening, but the two Snort boxes attempt to connect remotely. The one running Server 2003 is successful and shows no error, the one running Windows 2000 is unsuccessful, loses connection and produces the aforementioned error. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Paul Schmehl Sent: Tuesday, August 16, 2005 4:48 PM To: Snort-users () lists sourceforge net Subject: RE: [Snort-users] MYSQL 4.0 root login attempt --On Tuesday, August 16, 2005 16:24:36 -0500 David Naylor <DNaylor () TEXASTRUSTCU ORG> wrote:
It's running on Red Hat Linux (which I'm not real familiar with). What is this HUPing stuff all about?
When the syslog daemon turns over log files, it usually restarts the process that writes to the file so it will begin writing to a new one. If you look at man (1) kill and man (5) newsyslog.conf, you'll see what I mean. Kill has several options it can use, including TERM, which means terminate the process normally, KILL, which means kill the process unconditionally, and HUP, which means "hangup" and restart. If your install of snort created an entry in newsyslog.conf that tells syslog to turn over the snort logfile and HUP the daemon, that would explain why this happens every night. RedHat uses a script called logrotate to turn over log files and restart daemons. IIRC, the scripts are in /etc/logrotate.d/ (I don't use RedHat any more, so I'm going by memory.) If there's a script in there named "snort", then it's probably restarting the daemon every night. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- MYSQL 4.0 root login attempt David Naylor (Aug 16)
- Re: MYSQL 4.0 root login attempt Paul Schmehl (Aug 16)
- <Possible follow-ups>
- RE: MYSQL 4.0 root login attempt David Naylor (Aug 16)
- RE: MYSQL 4.0 root login attempt Paul Schmehl (Aug 16)
- RE: MYSQL 4.0 root login attempt David Naylor (Aug 17)
- RE: MYSQL 4.0 root login attempt David Naylor (Aug 18)