Snort mailing list archives
Re: Re: Barnyard not inserting on ACID tables in MySQL, just regular snort ones
From: Pedro Fortuna <pedro.fortuna () gmail com>
Date: Thu, 2 Sep 2004 10:38:36 +0100
On Thu, 02 Sep 2004 09:24:31 +0100, Alex Butcher, ISC/ISYS <alex.butcher () bristol ac uk> wrote:
--On 01 September 2004 19:06 +0100 Pedro Fortuna <pedro.fortuna () gmail com> wrote:Anyway, now its working with the old DB, but two things are bodering me: - ACID isn't showing my custom rule's description, it just shows something like this in the alert "Snort Alert [1:1000002:0]" (1000002 is the rule ID)I had this problem when I was using mudpit, and mudpit couldn't find sid-msg.map and gen-msg.map. I haven't used barnyard, and I'm using FLoP now, but maybe your problem has the same root.
Well, the rules that werent showing up the descriptiont were my custom rules. I didnt knew I must also add the description to sid-msg.map. Thats understood now.
- The events time are one our late! An event at 3am shows 2am.Probably a timezone or daylight savings time thing; I think all events are logged as UTC (i.e. GMT+0). Are you in western Europe, by chance?
I'm on GMT+0 (London,Lisbon,... it seems we are in the same timezone), but the thing is that my system "date" output (Ive only noticed this now) shows something like this: Thu Sep 2 10:13:02 WEST 2004 Shouldnt it say "GMT or UTC" ? I try set it to GMT or UTC, but all it does is adding one hour, and maintaining the "WEST": # date --set="thu Sep 2 10:13:00 GMT 2004" Thu Sep 2 11:13:00 WEST 2004 So i set it up back to 10:13 WEST. I have to check this thing again later.
If someone has a clue why Acid failed to insert the events in its tables (_using_ the blank DB) please say something, so that I can test it.Did you run create_acid_tbls_mysql.sql from the ACID distribution?
No, I used snortdb-extra.gz in snort distribution, which must be the same thing. The problem was barnyard related. A certain keyword in barnyard.conf (i.e. sensor_id) caused it not to perform all database operations it need to (e.g. create sensor entry in sensor table). So later, ACID couldnt find any sensor entry in DB, , thus failling to see the already inserted events. Answer, removing the "sensor_id" from barnyard.conf resolves the problem (tip from Dirk Geschke) -Pedro Fortuna ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- mysql on another box? Larry Wichman (Aug 31)
- Re: mysql on another box? Alec Berryman (Aug 31)
- Re: mysql on another box? James Riden (Aug 31)
- Re: mysql on another box? Jose Maria Lopez (Aug 31)
- Re: mysql on another box? Sean Brown (Aug 31)
- Barnyard not inserting on ACID tables in MySQL, just regular snort ones Pedro Fortuna (Aug 31)
- Re: Barnyard not inserting on ACID tables in MySQL, just regular snort ones Dirk Geschke (Sep 01)
- Re: Barnyard not inserting on ACID tables in MySQL, just regular snort ones Pedro Fortuna (Sep 01)
- Re: Barnyard not inserting on ACID tables in MySQL, just regular snort ones Alex Butcher, ISC/ISYS (Sep 02)
- Re: Re: Barnyard not inserting on ACID tables in MySQL, just regular snort ones Pedro Fortuna (Sep 02)
- Re: Re: Barnyard not inserting on ACID tables in MySQL, just regular snort ones Alex Butcher, ISC/ISYS (Sep 02)
- Barnyard not inserting on ACID tables in MySQL, just regular snort ones Pedro Fortuna (Aug 31)
- <Possible follow-ups>
- RE: mysql on another box? Lance Boon (Sep 01)