|
|
|
|
Snort Forums Archive
Archive Home » Windows » Snort 2.6 cannot connect to MSSQL Server
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
Snort 2.6 cannot connect to MSSQL Server
Posted by EvLwMn on September 06, 2006 08:32:37
I am running:
Windows 2000 Advanced Server
MS SQL Server 2000 SP4
Snort 2.6
WinPCap 3.1
I have the snort.conf file configured - rule paths, etc. I have the DB name, login name/password is correct, etc. SQL Server is running and I can connect to it using both the machine service account I created for it and I can connect to the DB using the DB account I created for it. Everything looks good until I try to run Snort from CLI.
snort -i3 -c c:\snort\etc\snort.conf
It runs through everything...Rule application order, initializes network interface, finds the database and name, host, user, password is set, sensor name, etc. Then it bombs with the following error:
Database: DB-Library error:
Unable to connect: SQL Server is unavailable or does not exist. Unable to connect: SQL Server does not exist or network access denied.
database: Net-Lib error 52: ConnectionOpen (Connect()).
database: Operating-system error:
ConnectionOpen (Connect()).
ERROR: database: Failed to logon to host 'localhost'
Fatal Error, Quitting....
I have the DB plugin configured in snort.conf - I have run the create-mssql script to create the tables, created the db user, given the db user the permissions listed in the documentation, etc.
I have searched and googled this error to death and can find nothing. Can someone please help?
If you need more information let me know or if you need to see the snort.conf file let me know and I'll post it.
Thanks in advance everyone :-)
|
|
Posted by brevizniak on September 09, 2006 18:40:44
The error indicates that the process cannot connect to the DB. I suspect you need to change the IP used in snort.conf |
|
Posted by EvLwMn on September 11, 2006 03:23:48
Thank you - I will check into that and post back what I find out.
Thanks again! :-) |
|
Posted by EvLwMn on September 11, 2006 08:17:16
OK - as far as IP - I have the HOME_NET variable set as my home network - i.e. 192.168.10.0/24
That's the only IP I have in there. Could you be more specific? Do I have to define a host and IP in my out put plugin for my database? I.e. something like this:
output database: log, mssql, dbname=snort user=snortusr password=xxxxxxxx host:192.168.10.xx
Thanks. |
|
Posted by EvLwMn on September 11, 2006 09:18:56
Well I tried putting the IP address in the output database variable and it still bombs. I have no idea where to go from here.
Any ideas anyone?
Thanks. |
|
Posted by puma on September 11, 2006 19:56:00
I have same a problem but i use mysql why? |
|
Posted by cveselka on September 22, 2006 12:37:14
Any resolution to this. We are seeing the same thing. |
|
Posted by EvLwMn on September 22, 2006 12:42:52
I have not yet found a resolution to this. However, I have had higher priority things to do recently and haven't been able to work on this much (this IDS is meant to enhance an existing IDS).
What I have decided to do is wipe the thing and start over. I was talking to another SA recently and he made a comment that maybe I didn't install things in the right order. So I figure it's worth a shot because I'm out of ideas.
Once I have finished reinstalling everything I'll post back what happened. If it actually works I'll post my steps. :-) |
|
Posted by EvLwMn on September 22, 2006 13:59:21
I have not yet found a resolution to this. However, I have had higher priority things to do recently and haven't been able to work on this much (this IDS is meant to enhance an existing IDS).
What I have decided to do is wipe the thing and start over. I was talking to another SA recently and he made a comment that maybe I didn't install things in the right order. So I figure it's worth a shot because I'm out of ideas.
Once I have finished reinstalling everything I'll post back what happened. If it actually works I'll post my steps. :-) |
|
Posted by cveselka on September 26, 2006 06:08:21
Finally got it to work. Try Pinging SQL with SQLPing utility. My SQL server was using a different port and also it wouldn't login even though I thought I had the username and password set correctly. I also changed my SQL server login default DB to Master and then it worked. I set it back to snort and it still worked. Not sure what I did but you may give it a try. |
|
Posted by EvLwMn on September 27, 2006 04:08:56
Thanks for the info. Unfortunately by the time you posted I had already wiped the server and was re-installing everything.
The only thing I did different besides installing things in a different order was install W2k3 instead of 2k Advanced and partitioned the drives so the OS is on C and everything pertaining to snort is on E (snort, mssql, etc) and I created a swap drive on D. I adjusted the snort.conf file to reflect the new path(s). Now when I run the command:
snort -i2 -c e:\snort\etc\snort.conf
it goes through all the stuff in my original post, gets a little past where it bombed before and then I get a new error:
database: SQL Server message 5701, state 2, severity 0:
Changed database context to 'IDSDB'.
database: SQL Server message 5701, state 1, severity 0:
Changed database context to 'IDSDB'.
Server 'IDS-SNORT', Line 1
database: sensor id = 2
database: schema version = 107
database: using the "log" facility
ERROR: log_tcpdump TcpdumpInitLogFile(): No error
Fatal Error, Quitting..
As you can see, it seems to be logging on to the database - or at least I'm not getting the original error saying "failed to logon to 'localhost' as its going past that point.
So does anyone have any idea what this error means and how to fix it? I have been trying to Google this error and so far am not having any luck. I will continue to research this but if anyone has any ideas they would be much appreciated!
If you need more information to help determine the problem let me know what you need and I'll make sure it's posted here.
Thanks again, in advance. :-)
|
|
|
|
|
|
