Access denied for user: '@192.168.0.1' -SNORT-
mike Hughes
mikehughes013
Mon May 17 11:44:14 PDT 2004
I forgot here is my /etc/snort.conf file:
#--------------------------------------------------
# http://www.activeworx.com Snort 1.9.0 Ruleset
# IDS Policy Manager Version: 1.3 Build(40)
# Current Database Updated -- Feb 10, 2003 2:08 AM
#--------------------------------------------------
#
## Variables
## ---------
var HOME_NET [192.168.0.0/24]
#var HOME_NET $eth0_ADDRESS
#var HOME_NET [10.1.1.0/24,192.168.1.0/24]
#var HOME_NET any
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS [192.168.0.1/24]
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
#var HTTP_PORTS 8081
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH /etc/snort
#
## Preprocessor Support
## --------------------
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble
#preprocessor portscan: $HOME_NET 4 3 portscan.log
#preprocessor portscan-ignorehosts: 0.0.0.0
preprocessor conversation: allowed_ip_protocols all, timeout 60,
max_conversations 32000
preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 5,
port_limit 20, timeout 60
preprocessor frag2
preprocessor telnet_decode
#preprocessor arpspoof
preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
#
#
## Output Modules
## --------------
output database: log, mysql, dbname=snort user=sensor1 host=192.168.0.69
port=3306 sensor_name=Sensor1 detail=full
#output log_tcpdump: tcpdump.log
#output xml: Log, file=/var/log/snortxml
#output log_unified: filename snort.log, limit 128
#
#output alert_syslog: LOG_AUTH LOG_ALERT
#output alert_unified: filename snort.alert, limit 128
#output trap_snmp: alert, 7, inform -v 3 -p 999 -l authPriv -u snortUser -x
DES -X "" -a SHA -A "" myTrapListener
#
## Custom Rules
## ------------
#ruletype suspicious
#{
# type log
# output log_tcpdump: suspicious.log
#}
#ruletype redalert
#{
# type alert
# output alert_syslog: LOG_AUTH LOG_ALERT
# output database: log, mysql, user=snort dbname=snort host=localhost
#}
#
## Custom Lines
## ------------
# output database: alert, postgresql, user=snort dbname=snort
# output database: log, unixodbc, user=snort dbname=snort
# output database: log, mssql, dbname=snort user=snort password=test
#
## Include Files
## -------------
include classification.config
#
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
#include $RULE_PATH/web-attacks.rules
#include $RULE_PATH/backdoor.rules
#include $RULE_PATH/shellcode.rules
#include $RULE_PATH/policy.rules
#include $RULE_PATH/porn.rules
#include $RULE_PATH/info.rules
#include $RULE_PATH/icmp-info.rules
#include $RULE_PATH/virus.rules
#include $RULE_PATH/chat.rules
#include $RULE_PATH/multimedia.rules
#include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules
>From: "mike Hughes" <mikehughes013 at hotmail.com>
>Reply-To: linux-users at linux-sxs.org
>To: linux-users at linux-sxs.org
>Subject: Access denied for user: '@192.168.0.1' -SNORT-
>Date: Mon, 10 Feb 2003 03:13:20 -0800
>
>whaaats up guys...
>
>I have worked at this for a while now but cant figure it out...I have been
>trying to get snort working using this as my reference but am stuck on the
>send to last step HELP!
>here is my reference:
>http://www.sans.org/rr/intrusion/practical_guide.php
>
>OK here is what my IDS sensor file looks like:
>
>SensorName : Sensor1
>IP Adress of Sensor: 1xx.17x.13.64 <---my internet IP
>policy name: Sensor1
>username : root
>
>Here is my IDS policy settings
>Policy name : sensor 1
>snort-1.9
>policy location: c:\programfiles\activeworx\Sensor1\snort.conf
>description policy for sensor 1
>
>
>192.168.0.69 is windows machine (whereim managing snort)
>192.168.0.1 is my LAN interface eth1
>eth0 is my internet interface
>
>snort-mysql+flexresp –v –c /etc/snort/snort.conf
>
>Initializing Output Plugins!
>Log directory = /var/log/snort
>
>Initializing Network Interface eth0 #<-----this is my INTERNET interface
>eth0 and eth1 is my ####################### lan interface
>
>--== Initializing Snort ==--
>Decoding Ethernet on interface eth0
>Initializing Preprocessors!
>Initializing Plug-ins!
>Parsing Rules file /etc/snort/snort.conf
>
>++++++++++++++++++++++++++++++++++++++++++++++++++
>+
>Initializing rule chains...
>http_decode arguments:
>Unicode decoding
>IIS alternate Unicode decoding
>IIS double encoding vuln
>Flip backslash to slash
>Include additional whitespace separators
>Ports to decode http on: 80
>rpc_decode arguments:
>Ports to decode RPC on: 111 32771
>Stream4 config:
>Stateful inspection: ACTIVE
>Session statistics: INACTIVE
>Session timeout: 30 seconds
>Session memory cap: 8388608 bytes
>State alerts: INACTIVE
>Evasion alerts: INACTIVE
>Scan alerts: ACTIVE
>Log Flushed Streams: INACTIVE
>MinTTL: 1
>TTL Limit: 5
>Async Link: 0
>No arguments to stream4_reassemble, setting defaults:
>Reassemble client: ACTIVE
>Reassemble server: INACTIVE
>Reassemble ports: 21 23 25 53 80 143 110 111 513
>Reassembly alerts: ACTIVE
>Reassembly method: FAVOR_OLD
>Conversation Config:
>KeepStats: 0
>Conv Count: 32000
>Timeout : 60
>Alert Odd?: 0
>Allowed IP Protocols: All
>
>Portscan2 config:
>log: /var/log/snort/scan.log
>scanners_max: 3200
>targets_max: 5000
>target_limit: 5
>port_limit: 20
>timeout: 60
>No arguments to frag2 directive, setting defaults to:
>Fragment timeout: 60 seconds
>Fragment memory cap: 4194304 bytes
>Fragment min_ttl: 0
>Fragment ttl_limit: 5
>Fragment Problems: 0
>telnet_decode arguments:
>Ports to decode telnet on: 21 23 25 119
>ERROR spp_arpspoof /etc/snort/snort.conf(39) => Cannot initialize
>arpspoof_detect_host without arpspoof
>database: compiled support for ( mysql )
>database: configured to use mysql
>database: database name = snort
>database: user = sensor1
>database: host = 192.168.0.69
>database: port = 3306
>database: sensor name = Sensor1
>database: detail level = full
>database: mysql_error: Access denied for user: '@192.168.0.1' to database
>'snort'
>Fatal Error, Quitting..
>
>How can i debug this and try to figure out what setting is wrong???
>Im a newbie to mysql soo im not too sure how to see those settings: but i
>followed the directions properly.
>
>_________________________________________________________________
>MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
>http://join.msn.com/?page=features/virus
>
>_______________________________________________
>Linux-users mailing list
>Linux-users at linux-sxs.org
>Unsubscribe/Suspend/Etc ->
>http://www.linux-sxs.org/mailman/listinfo/linux-users
_________________________________________________________________
Add photos to your messages with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail
More information about the Linux-users
mailing list