Snort mailing list archives
RE: Problems starting Snort 1.9.0 on RH 8.0
From: "Sawall, Christopher L" <CSawall () ameren com>
Date: Tue, 5 Nov 2002 06:42:50 -0600
Hmmm. I downloaded the latest stable copy: Version 1.9.0 (Build 223) and
installed it. As far as I can tell, the table structure exists properly. I
used "create_mysql" version 1.5 from SourceForge. I had to do some heavy
modification because the formatting would not work with mysql version
3.23.53a. I had to remove all of the "IDENTITY (1,1)", I had to change all
of the "VARCHAR(8000) to BLOB, and I had to insert semi-colons at the end of
each statement. But that should be all that I changed.
I tried again to start Snort, but still have the same problem. I even
modified my user: "mysql> grant ALL on snort.* to 'snort'@'localhost';".
If I look to ensure a sensor exists, it does:
mysql> select * from sensor;
+-----+-------------+-----------+--------+--------+----------+----------+
| sid | hostname | interface | filter | detail | encoding | last_cid |
+-----+-------------+-----------+--------+--------+----------+----------+
| 0 | 10.70.2.252 | eth0 | NULL | 1 | 0 | 0 |
+-----+-------------+-----------+--------+--------+----------+----------+
1 row in set (0.00 sec)
It almost seems like it's reads the data, but then tries to enter it in
again and then says there's duplicate data.
I am still getting the same error as below, attached is the end of that
error again:
database: compiled support for ( mysql )
database: configured to use mysql
database: user = snort
database: password is set
database: database name = snort
database: host = localhost
database: sensor name = 10.70.2.252
database: mysql_error: Duplicate entry '0' for key 1
SQL=INSERT INTO sensor (hostname, interface, detail, encoding, last_cid)
VALUES ('10.70.2.252','eth0','1','0', '0')
database: Problem obtaining SENSOR ID (sid) from snort->sensor
When this plugin starts, a SELECT query is run to find the sensor id for
the
currently running sensor. If the sensor id is not found, the plugin will
run
an INSERT query to insert the proper data and generate a new sensor id.
Then a
SELECT query is run to get the newly allocated sensor id. If that fails
then
this error message is generated.
Some possible causes for this error are:
* the user does not have proper INSERT or SELECT privileges
* the sensor table does not exist
If you are _absolutely_ certain that you have the proper privileges set and
that your database structure is built properly please let me know if you
continue to get this error. You can contact me at (roman () danyliw com).
Fatal Error, Quitting..
Thanks for helping,
Chris
-----Original Message-----
From: Eli Stair [mailto:estair () tardis ath cx]
Sent: Monday, November 04, 2002 11:27 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Problems starting Snort 1.9.0 on RH 8.0
I had a similar issue with Postgres last week, it was known and fixed in
CVS. Although no one replied to my mail to tell me this..
Grab the current CVS snapshot and take a look-see in the changelog.
/eli
I am having trouble getting Snort to start. Any help would be greatly
appreciated.
Config:
RedHat 8.0
Snort 1.9.0
MySQL 3.23.53a
I created a user with all the rights to try and make sure that it
would
work:
mysql -u root -p{password} snort
mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to
snort@localhost;
I checked the database and made sure that the "sensor" table exists.
I try to start Snort:
/etc/snort# snort -d -c ./snort.conf
The following is the error I am receiving:
Initializing Output Plugins!
Log directory = /var/log/snort
Initializing Network Interface eth0
--== Initializing Snort ==--
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file ./snort.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
Fragment min_ttl: 0
Fragment ttl_limit: 5
Fragment Problems: 0
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: ACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
No arguments to stream4_reassemble, setting defaults:
Reassemble client: ACTIVE
Reassemble server: INACTIVE
Reassemble ports: 21 23 25 53 80 143 110 111 513
Reassembly alerts: ACTIVE
Reassembly method: FAVOR_OLD
http_decode arguments:
Unicode decoding
IIS alternate Unicode decoding
IIS double encoding vuln
Flip backslash to slash
Include additional whitespace separators
Ports to decode http on: 80
rpc_decode arguments:
Ports to decode RPC on: 111 32771
telnet_decode arguments:
Ports to decode telnet on: 21 23 25 119
Conversation Config:
KeepStats: 0
Conv Count: 32000
Timeout : 60
Alert Odd?: 0
Allowed IP Protocols: All
Portscan2 config:
log: /var/log/snort/scan.log
scanners_max: 3200
targets_max: 5000
target_limit: 5
port_limit: 20
timeout: 60
database: compiled support for ( mysql )
database: configured to use mysql
database: user = snort
database: password is set
database: database name = snort
database: host = localhost
database: sensor name = 10.70.2.252
database: mysql_error: Duplicate entry '0' for key 1 SQL=INSERT INTO
sensor (hostname, interface, detail, encoding, last_cid) VALUES
('10.70.2.252','eth0','1','0', '0')
database: Problem obtaining SENSOR ID (sid) from snort->sensor
When this plugin starts, a SELECT query is run to find the sensor id
for the currently running sensor. If the sensor id is not found, the
plugin will run
an INSERT query to insert the proper data and generate a new sensor id.
Then a
SELECT query is run to get the newly allocated sensor id. If that fails
then
this error message is generated.
Some possible causes for this error are:
* the user does not have proper INSERT or SELECT privileges
* the sensor table does not exist
If you are _absolutely_ certain that you have the proper privileges
set and that your database structure is built properly please let me
know if you continue to get this error. You can contact me at
(roman () danyliw com).
Fatal Error, Quitting..
Thanks,
Chris
------------------------------------------------------- This SF.net email is sponsored by: ApacheCon, November 18-21 in Las Vegas (supported by COMDEX), the only Apache event to be fully supported by the ASF. http://www.apachecon.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problems starting Snort 1.9.0 on RH 8.0 Sawall, Christopher L (Nov 04)
- Re: Problems starting Snort 1.9.0 on RH 8.0 Eli Stair (Nov 04)
- <Possible follow-ups>
- RE: Problems starting Snort 1.9.0 on RH 8.0 Scott, Joshua (Nov 04)
- RE: Problems starting Snort 1.9.0 on RH 8.0 Sawall, Christopher L (Nov 05)