Snort mailing list archives

Barnyard not inserting on ACID tables in MySQL, just regular snort ones

From: Pedro Fortuna <pedro.fortuna () gmail com>
Date: Wed, 1 Sep 2004 04:48:25 +0100

Hello,

I don't know why, but barnyard is not inserting on ACID tables in
MySQL, and ACID does not show any alert.

I'm pretty sure of:
- snort is logging alerts correctly to unified log files
- barnyard is being able to read them and...
- ... it is connecting to mysql correctly and....
- it is inserting only on tables event,iphdr,tcphdr,data

Don't know why:
- barnyard is not inserting on acid specific tables (it must be
because of this that ACID does not shows anything!)

Here's an excerpt of MySQL query logs (concerning 1 single alert):
040901  4:29:15       1 Connect     snort@localhost on barnyard2
                     1 Query       SELECT sig_id FROM signature WHERE sig_name=
'Snort Alert [1:1000002:0]' AND sig_rev=0 AND sig_sid=1000002
                     1 Query       INSERT INTO event(sid, cid, signature, times
tamp) VALUES('1', '11', '2', '2004-09-01 03:29:15')
                     1 Query       INSERT INTO iphdr(sid, cid, ip_src, ip_dst,
ip_proto, ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off, ip_ttl, ip_c
sum) VALUES('1', '11', '3246931459', '3575048132', '6', '4', '5', '0', '63', '26
381', '2', '0', '51', '9285')
                     1 Query       INSERT INTO tcphdr(sid, cid, tcp_sport, tcp_
dport, tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win, tcp_csum, tcp_urp
) VALUES('1', '11', '45825', '21', '4290730719', '2885246481', '8', '0', '24', '
5840', '6608', '0')
                     1 Query       INSERT INTO data(sid, cid, data_payload) VAL
UES('1', '11', '5553455220726F6F740D0A')
-------------------------------

My config is very simple.
Snort.conf:
output alert_syslog: LOG_AUTH LOG_ALERT
output log_unified: filename snort.log, limit 128

barnyard.conf:
output log_acid_db: mysql, sensor_id 1, database barnyard2, server
localhost, user snort, password XXXXXXX, detail full

Please help!
Thanks
-pfeito


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

mysql on another box? Larry Wichman (Aug 31)
- Re: mysql on another box? Alec Berryman (Aug 31)
- Re: mysql on another box? James Riden (Aug 31)
- Re: mysql on another box? Jose Maria Lopez (Aug 31)
- Re: mysql on another box? Sean Brown (Aug 31)
  - Barnyard not inserting on ACID tables in MySQL, just regular snort ones Pedro Fortuna (Aug 31)
    - Re: Barnyard not inserting on ACID tables in MySQL, just regular snort ones Dirk Geschke (Sep 01)
    - Re: Barnyard not inserting on ACID tables in MySQL, just regular snort ones Pedro Fortuna (Sep 01)
    - Re: Barnyard not inserting on ACID tables in MySQL, just regular snort ones Alex Butcher, ISC/ISYS (Sep 02)
    - Re: Re: Barnyard not inserting on ACID tables in MySQL, just regular snort ones Pedro Fortuna (Sep 02)
    - Re: Re: Barnyard not inserting on ACID tables in MySQL, just regular snort ones Alex Butcher, ISC/ISYS (Sep 02)
- <Possible follow-ups>
- RE: mysql on another box? Lance Boon (Sep 01)