#--------------------------------------------------
# http://www.activeworx.com Snort 1.9.0 Ruleset
# IDS Policy Manager Version: 1.3 Build(40)
# Current Database Updated -- Feb 10, 2003 2:08 AM
#--------------------------------------------------
#
## Variables
## ---------
var HOME_NET [192.168.0.0/24]
#var HOME_NET $eth0_ADDRESS
#var HOME_NET [10.1.1.0/24,192.168.1.0/24]
#var HOME_NET any
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS [192.168.0.1/24]
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
#var HTTP_PORTS 8081
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH /etc/snort
#
## Preprocessor Support
## --------------------
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble
#preprocessor portscan: $HOME_NET 4 3 portscan.log
#preprocessor portscan-ignorehosts: 0.0.0.0
preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 32000
preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 5, port_limit 20, timeout 60
preprocessor frag2
preprocessor telnet_decode
#preprocessor arpspoof
preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
#
#
## Output Modules
## --------------
output database: log, mysql, dbname=snort user=sensor1 host=192.168.0.69 port=3306 sensor_name=Sensor1 detail=full
#output log_tcpdump: tcpdump.log
#output xml: Log, file=/var/log/snortxml
#output log_unified: filename snort.log, limit 128
#
#output alert_syslog: LOG_AUTH LOG_ALERT
#output alert_unified: filename snort.alert, limit 128
#output trap_snmp: alert, 7, inform -v 3 -p 999 -l authPriv -u snortUser -x DES -X "" -a SHA -A "" myTrapListener
#
## Custom Rules
## ------------
#ruletype suspicious
#{
# type log
# output log_tcpdump: suspicious.log
#}
#ruletype redalert
#{
# type alert
# output alert_syslog: LOG_AUTH LOG_ALERT
# output database: log, mysql, user=snort dbname=snort host=localhost
#}
#
## Custom Lines
## ------------
# output database: alert, postgresql, user=snort dbname=snort
# output database: log, unixodbc, user=snort dbname=snort
# output database: log, mssql, dbname=snort user=snort password=test
#
## Include Files
## -------------
include classification.config
#
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
#include $RULE_PATH/web-attacks.rules
#include $RULE_PATH/backdoor.rules
#include $RULE_PATH/shellcode.rules
#include $RULE_PATH/policy.rules
#include $RULE_PATH/porn.rules
#include $RULE_PATH/info.rules
#include $RULE_PATH/icmp-info.rules
#include $RULE_PATH/virus.rules
#include $RULE_PATH/chat.rules
#include $RULE_PATH/multimedia.rules
#include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules
From: "mike Hughes" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Access denied for user: '@192.168.0.1' -SNORT-
Date: Mon, 10 Feb 2003 03:13:20 -0800
whaaats up guys...
I have worked at this for a while now but cant figure it out...I have been trying to get snort working using this as my reference but am stuck on the send to last step HELP!
here is my reference:
http://www.sans.org/rr/intrusion/practical_guide.php
OK here is what my IDS sensor file looks like:
SensorName : Sensor1
IP Adress of Sensor: 1xx.17x.13.64 <---my internet IP
policy name: Sensor1
username : root
Here is my IDS policy settings
Policy name : sensor 1
snort-1.9
policy location: c:\programfiles\activeworx\Sensor1\snort.conf
description policy for sensor 1
192.168.0.69 is windows machine (whereim managing snort)
192.168.0.1 is my LAN interface eth1
eth0 is my internet interface
snort-mysql+flexresp �v �c /etc/snort/snort.conf
Initializing Output Plugins!
Log directory = /var/log/snort
Initializing Network Interface eth0 #<-----this is my INTERNET interface eth0 and eth1 is my ####################### lan interface
--== Initializing Snort ==--
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf
++++++++++++++++++++++++++++++++++++++++++++++++++
+
Initializing rule chains...
http_decode arguments:
Unicode decoding
IIS alternate Unicode decoding
IIS double encoding vuln
Flip backslash to slash
Include additional whitespace separators
Ports to decode http on: 80
rpc_decode arguments:
Ports to decode RPC on: 111 32771
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: ACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
No arguments to stream4_reassemble, setting defaults:
Reassemble client: ACTIVE
Reassemble server: INACTIVE
Reassemble ports: 21 23 25 53 80 143 110 111 513
Reassembly alerts: ACTIVE
Reassembly method: FAVOR_OLD
Conversation Config:
KeepStats: 0
Conv Count: 32000
Timeout : 60
Alert Odd?: 0
Allowed IP Protocols: All
Portscan2 config:
log: /var/log/snort/scan.log
scanners_max: 3200
targets_max: 5000
target_limit: 5
port_limit: 20
timeout: 60
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
Fragment min_ttl: 0
Fragment ttl_limit: 5
Fragment Problems: 0
telnet_decode arguments:
Ports to decode telnet on: 21 23 25 119
ERROR spp_arpspoof /etc/snort/snort.conf(39) => Cannot initialize arpspoof_detect_host without arpspoof
database: compiled support for ( mysql )
database: configured to use mysql
database: database name = snort
database: user = sensor1
database: host = 192.168.0.69
database: port = 3306
database: sensor name = Sensor1
database: detail level = full
database: mysql_error: Access denied for user: '@192.168.0.1' to database 'snort'
Fatal Error, Quitting..
How can i debug this and try to figure out what setting is wrong???
Im a newbie to mysql soo im not too sure how to see those settings: but i followed the directions properly.
_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus
_______________________________________________
Linux-users mailing list
[EMAIL PROTECTED]
Unsubscribe/Suspend/Etc -> http://www.linux-sxs.org/mailman/listinfo/linux-users
_________________________________________________________________
Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail
_______________________________________________
Linux-users mailing list
[EMAIL PROTECTED]
Unsubscribe/Suspend/Etc -> http://www.linux-sxs.org/mailman/listinfo/linux-users
