Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort/Honeynet console database errors?

From: Dan Siff <dsiff () colby edu>
Date: Wed, 10 Nov 2004 13:53:29 -0500
I have a question regarding porting snort events into the Honeynet security console (from Activeworx). I am running Snort on a linux box (InMon is porting sflow data into Snort) and using ACID as a front end without any problems. I'm now trying to get a Honeynet console set up on an adjacent Windows system, but have hit a snag that I have no idea how to fix. I seem to have everything set up correctly regarding the Honeynet databases and permissions - the aw_hsc primary database seems OK, and the idsevents database that I set up to have Snort dump into seems to be working OK as well (tables are populating with data, seems normal). The problem is when I go to view events in Honenet - there are no events. Looking at the 'Event Overview' I'm showing 620 events, 31 unique events. The summary graphs all work, showing the breakdown of data. It's just that when you try to look at the data, there's nothing there (such as clicking on 'Unique Events' should show you a list of events, instead it's blank, saying 'No Events').
I tried running a trace and discovered that there is apparently a database error, but I have no idea how to correct it. I was hoping someone on this list might have run into this. Here are the details:
When running a 'Unique Events' query, the initial MySQL requests all seem to go fine until this: 

(mySQL request):
SELECT CONCAT('2:', event.sid, ':', event.cid) AS 'Event ID', CAST(signature.sig_priority AS CHAR) AS 'Priority', sig_name AS 'Event Name', CAST(ip_proto AS CHAR) AS 'Protocol', INET_NTOA(iphdr.ip_src) AS 'Src IP', COALESCE(tcphdr.tcp_sport, udphdr.udp_sport) AS 'Src Port', '' AS 'Src Country', INET_NTOA(iphdr.ip_dst) AS 'Dst IP', COALESCE(tcphdr.tcp_dport, udphdr.udp_dport) AS 'Dst Port', sensor.hostname AS 'Sensor', event.timestamp AS 'Timestamp' FROM event LEFT JOIN signature ON (event.signature = signature.sig_id) LEFT JOIN sensor ON (event.sid = sensor.sid) LEFT JOIN iphdr ON ((event.cid = iphdr.cid) AND (event.sid = iphdr.sid)) LEFT JOIN tcphdr ON ((event.cid = tcphdr.cid) AND (event.sid = tcphdr.sid)) LEFT JOIN udphdr ON ((event.cid = udphdr.cid) AND (event.sid = udphdr.sid)) WHERE (event.sid = '1') ORDER BY event.timestamp DESC LIMIT 1000 ‰ 

(mySQL response):
(You have an error in your SQL syntax near '(signature.sig_priority AS CHAR) AS 'Priority', sig_name AS 'Event Name', CAST(i' at line 1
The only thing I can decipher from this (this is a guess) is that sig_name falls under the signature table - so maybe it should be referenced as 'signature.sig_name' instead of just 'sig_name' ? 

If anyone can help, I would really appreciate any input.
Regards,
Dan Siff



-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_idU88&alloc_id065&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: