I am running Ubuntu inside VMware and trying to configure Snort. I have gotten to this portion: < Scroll down the list to the section with "# output database: log, mysql, user=", remove the "#" from in front of this line. Leave the "user=root", change the "password=password" to "password=YOUR_PASSWORD", "dbname=snort" Make note of the username, password, and dbname. You will need this information when we set up the Mysql db. Save and quit. 11. Setup the Mysql database. Log into the mysql server. # mysql -u root -p Sometimes there is no password set so just hit enter. If you get a failed logon, try the above command again and enter YOUR_PASSWORD. If there is no password you need to create a password for the root account. Note: Once you are in mysql the # is now a mysql> mysql> SET PASSWORD FOR root@localhost=PASSWORD('YOUR_PASSWORD'); Create the snort database. mysql> create database snort; mysql> exit > But no matter what I do I cannot log into mysql. I have tried logging into root when I first log on (so far I am unable to do so, even with changing the passwords in preferences.) I have tried to log in from terminal either under a user name and root. There are no errors in /var/log/mysql.log Is there another work around for this? I have heard that there is a package in the synaptic snap ins that would allow Ubuntu to read Debian programs that makes mysql easier to install...is that a better way to go? Thanks for any help.
When I enter the mysql -u root -p it brings up "password:" and I enter "password" or the other word I changed it to depending upon which time I tried it. and then it just says: "access denied to root@localhost" The rest will follow after I have popped into my VMware and run that command.
This is what I get when I run that particular command: root 4878 0.0 0.1 1752 528 ? S 09:48 0:00 /bin/sh /usr/bin/mysqld_safe mysql 5034 0.3 3.1 126920 16140 ? Sl 09:48 0:01 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --port=3306 --socket=/var/run/mysqld/mysqld.sock root 5035 0.0 0.1 1676 548 ? S 09:48 0:00 logger -p daemon.err -t mysqld_safe -i -t mysqld root 9155 0.0 0.1 2972 748 pts/0 R+ 09:55 0:00 grep mysql Thanks, Kyra
Of course, that must be it! *tilts head* It's not that hard...it's "password" since it is just VMware; I really do not need security. I am fairly sure I have typed it correctly at least once in the 30-40 times I have tried to get in. It was one of the first things I did think to try. I am sorry if my sarcasm is a bit much at this point. I am fairly frustrated at this point and need suggestions on how to get past this point. *edited to remove fairly snarky comment from a frustrated student on a deadline that really didn't need to be made.* Kyra
ok I tooled around enough mysql that I got it running......however, it was enough to drive Ghandi to a steakhouse. Now I am hitting a wall with my snort.conf file. This is my file snort.conf file: PHP: root@kyra-desktop:/etc/snort/rules# snort -T -c /etc/snort/snort.conf Running in Test mode with config file: /etc/snort/snort.conf Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/snort.conf PortVar 'HTTP_PORTS' defined : [ 80] PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535] PortVar 'ORACLE_PORTS' defined : [ 1521] ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4096 | Overhead Bytes: 16388(%0.16) `---------------------------------------------- Frag3 global config: Max frags: 65536 Fragment memory cap: 4194304 bytes Frag3 engine config: Target-based policy: FIRST Fragment timeout: 60 seconds Fragment min_ttl: 1 Fragment ttl_limit: 5 Fragment Problems: 1 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes Session count max: 8192 sessions Session cleanup count: 5 State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Enforce TCP State: INACTIVE Midstream Drop Alerts: INACTIVE Allow Blocking of TCP Sessions in Inline: ACTIVE Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE Flush stream on alert: INACTIVE flush_data_diff_size: 500 Reassembler Packet Preferance : Favor Old Packet Sequence Overlap Limit: -1 Flush behavior: Small (<255 bytes) Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 PerfMonitor config: Time: 300 seconds Flow Stats: INACTIVE Event Stats: INACTIVE Max Perf Stats: INACTIVE Console Mode: INACTIVE File Mode: /var/snort/snort.stats SnortFile Mode: INACTIVE Packet Count: 10000 Dump Summary: No HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Server profile: All Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE Whitespace Characters: 0x09 0x0b 0x0c 0x0d rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE Portscan Detection Config: Detect Protocols: TCP UDP ICMP IP Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan Sensitivity Level: Low Memcap (in bytes): 10000000 Number of Nodes: 36900 Tagged Packet Limit: 256 /etc/snort/snort.conf(449) unknown dynamic preprocessor "telnet_decode" ERROR: Misconfigured dynamic preprocessor(s) Fatal Error, Quitting.. These are my rules for telnet: PHP: preprocessor telnet_decode # sfPortscan # ---------- # Portscan detection module. Detects various types of portscans and # portsweeps. For more information on detection philosophy, alert types, # and detailed portscan information, please refer to the README.sfportscan. # # -configuration options- # proto { tcp udp icmp ip_proto all } # The arguments to the proto option are the types of protocol scans that # the user wants to detect. Arguments should be separated by spaces and # not commas. # scan_type { portscan portsweep decoy_portscan distributed_portscan all } # The arguments to the scan_type option are the scan types that the # user wants to detect. Arguments should be separated by spaces and not # commas. # sense_level { low|medium|high } # There is only one argument to this option and it is the level of # sensitivity in which to detect portscans. The 'low' sensitivity # detects scans by the common method of looking for response errors, such # as TCP RSTs or ICMP unreachables. This level requires the least # tuning. The 'medium' sensitivity level detects portscans and # filtered portscans (portscans that receive no response). This # sensitivity level usually requires tuning out scan events from NATed # IPs, DNS cache servers, etc. The 'high' sensitivity level has # lower thresholds for portscan detection and a longer time window than # the 'medium' sensitivity level. Requires more tuning and may be noisy # on very active networks. However, this sensitivity levels catches the # most scans. # memcap { positive integer } # The maximum number of bytes to allocate for portscan detection. The # higher this number the more nodes that can be tracked. # logfile { filename } # This option specifies the file to log portscan and detailed portscan # values to. If there is not a leading /, then snort logs to the # configured log directory. Refer to README.sfportscan for details on # the logged values in the logfile. # watch_ip { Snort IP List } # ignore_scanners { Snort IP List } # ignore_scanned { Snort IP List } # These options take a snort IP list as the argument. The 'watch_ip' # option specifies the IP(s) to watch for portscan. The # 'ignore_scanners' option specifies the IP(s) to ignore as scanners. # Note that these hosts are still watched as scanned hosts. The # 'ignore_scanners' option is used to tune alerts from very active # hosts such as NAT, nessus hosts, etc. The 'ignore_scanned' option # specifies the IP(s) to ignore as scanned hosts. Note that these hosts # are still watched as scanner hosts. The 'ignore_scanned' option is # used to tune alerts from very active hosts such as syslog servers, etc. # preprocessor sfportscan: proto { all } \ memcap { 10000000 } \ sense_level { low } Any suggestions on how to edit these two so that I can get Snort to run would be helpful. Kyra
