Snort mailing list archives
Re: view alerts in base
From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Tue, 21 Apr 2009 21:38:17 -0500
--On April 21, 2009 8:45:01 PM -0500 David Kingsly <davidkingsly () verizon net> wrote:
So even though I see alerts in mysql, the issue is between snort 2.8.4 and mysql? Not between BASE and mysql? From looking at my tables before I installed BASE, and after I see that BASE added some items. I just don't get why alerts are not collected. I'll look at barnyard documentation. Thank you. I do not have ACID installed. The procedures that I am following on Ubuntu do not call for it.
The name acid is a legacy from the software that BASE is derived from. Here's my operational system: mysql> select count(*) from event; +----------+ | count(*) | +----------+ | 6881 | +----------+ 1 row in set (0.00 sec) mysql> select count(*) from acid_event; +----------+ | count(*) | +----------+ | 6880 | +----------+ 1 row in set (0.00 sec) As you can see the number of alerts is different. Whether snort feeds mysql directly *or* barnyard parses the unified format and feeds mysql, the result is the same - events are entered into the *snort* database. The BASE install adds the four acid_* tables. Those tables are fed by base, not by snort or barnyard. So, if the snort db event table has entries but the acid_event table does not, the problem is BASE not snort, mysql or barnyard. Check your BASE configuration. There is something wrong with it. It could be the username, password, hostname or something else, but BASE is not connecting to the db to parse the events and populate its tables. There is a section that looks like this: $alert_dbname = 'snort'; $alert_host = 'localhost'; $alert_port = ''; $alert_user = 'snort'; $alert_password = 'password'; That section *must* match the dbname of your db plus the correct port plust the correct user and password or base will not function correctly. If localhost doesn't work, use 127.0.0.1. (Localhost *should* be defined in your hosts file, but many people miss that detail. In that case, localhost does not resolve to 127.0.0.1.) If you have logging enabled in mysql, you should be able to see the errors and figure out why it's not working. If it's working correctly, you should see entries like this: 090418 0:04:15 280 Init DB snort 280 Query SELECT vseq FROM `schema` 280 Init DB snort 280 Query SELECT vseq FROM `schema` 280 Query SELECT ip_src FROM iphdr LIMIT 0, 1 280 Query SHOW TABLES 280 Query SHOW TABLES 280 Query SHOW TABLES 280 Query SHOW TABLES 280 Query SHOW TABLES 280 Query SHOW TABLES 280 Query SELECT count(*) FROM sensor 280 Query SELECT sid FROM sensor 280 Query SELECT MAX(cid) FROM event WHERE sid='1' 280 Query SELECT MAX(cid) FROM acid_event WHERE sid='1' 280 Query SELECT count(*) FROM acid_event where sid = '1' 280 Query INSERT INTO acid_event (sid,cid,signature,timestamp, ip_src,ip_dst,ip_proto, layer4_sport,layer4_dport, sig_name, sig_priority, sig_class_id) Note that a SELECT on the event table is followed by an INSERT into acid_event. That is done by BASE (when it's working correctly.) Paul Schmehl, If it isn't already obvious, my opinions are my own and not those of my employer. ****************************************** WARNING: Check the headers before replying ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: R: v2.8.4 incorrect logging to MySQL: PATCH, (continued)
- Re: R: v2.8.4 incorrect logging to MySQL: PATCH Jason Wallace (Apr 14)
- view alerts in base David Kingsly (Apr 19)
- Re: view alerts in base David Kingsly (Apr 19)
- Re: view alerts in base Lee Clemens (Apr 20)
- Re: view alerts in base David Kingsly (Apr 21)
- Re: view alerts in base Paul Schmehl (Apr 21)
- Re: view alerts in base David Kingsly (Apr 22)
- Re: view alerts in base Joel Esler (Apr 22)
- Message not available
- Re: view alerts in base John Gay (Apr 20)
- Re: view alerts in base David Kingsly (Apr 21)
- Re: view alerts in base Paul Schmehl (Apr 21)
- Re: view alerts in base Dominique Karg (Apr 22)
- Re: view alerts in base David Kingsly (Apr 22)
- Re: view alerts in base Joel Esler (Apr 22)
- Re: view alerts in base Leon Ward (Apr 22)
- Re: view alerts in base Randal T. Rioux (Apr 22)
- Re: view alerts in base Joel Esler (Apr 22)
- Re: view alerts in base Seth Art (Apr 22)
- Re: view alerts in base Joel Esler (Apr 22)
- Re: view alerts in base Ryan Jordan (Apr 22)