Snort mailing list archives
Re: view alerts in base
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 22 Apr 2009 07:51:34 -0400
You have use "backticks" for the schema table. select * from `schema`; Joel On Tue, Apr 21, 2009 at 9:40 PM, David Kingsly <davidkingsly () verizon net>wrote:
I can not do the query. I see the table, but it does not work... mysql> show tables; +------------------+ | Tables_in_snort | +------------------+ | acid_ag | | acid_ag_alert | | acid_event | | acid_ip_cache | | base_roles | | base_users | | data | | detail | | encoding | | event | | icmphdr | | iphdr | | opt | | reference | | reference_system | | schema | | sensor | | sig_class | | sig_reference | | signature | | tcphdr | | udphdr | +------------------+ 22 rows in set (0.00 sec) mysql> select * from 'schema'; ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''schema'' at line 1 mysql> select * from schema; ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'schema' at line 1 mysql> select * from schema; ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'schema' at line 1 mysql> On Mon, 2009-04-20 at 17:19 -0400, Lee Clemens wrote:Can you send the output of select * from `schema`; -----Original Message----- From: David Kingsly [mailto:davidkingsly () verizon net] Sent: Sunday, April 19, 2009 10:45 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] view alerts in base Just to add to this previous post. I do not seem to have a sensor id in my table. I saw some posts regarding this being the reason for alerts not showing up in BASE: mysql> show tables; +------------------+ | Tables_in_snort | +------------------+ | acid_ag | | acid_ag_alert | | acid_event | | acid_ip_cache | | base_roles | | base_users | | data | | detail | | encoding | | event | | icmphdr | | iphdr | | opt | | reference | | reference_system | | schema | | sensor | | sig_class | | sig_reference | | signature | | tcphdr | | udphdr | +------------------+ 22 rows in set (0.00 sec) mysql> select * from sensor; Empty set (0.00 sec) I do however see alerts in the mysql database . On Sun, 2009-04-19 at 13:27 -0400, David Kingsly wrote:Greetings- I see alerts in mysql and in alerts folder in /var/logs/snort. But base page is blank. I checked mysql by logging in using the same account, and password, and I did select * on some tables. But they do not show up in Base. Is there a log file I can look at? How can find out what is wrong please? Here is some logs I suspect: daemon.log:Apr 19 10:47:08 thunder snort[21347]: Target-based policy: WINDOWS daemon.log:Apr 19 10:47:14 thunder snort[21351]: database: inconsistent cid information for sid=1 daemon.log.0:Apr 12 12:04:26 thunder snort[20659]: Target-based policy: WINDOWS daemon.log.0:Apr 12 12:11:02 thunder snort[20755]: Target-based policy: WINDOWS daemon.log.0:Apr 12 12:13:04 thunder snort[20763]: Target-based policy: WINDOWS daemon.log.0:Apr 12 12:13:41 thunder snort[20962]: Target-based policy: WINDOWS daemon.log.0:Apr 12 15:23:24 thunder snort[29865]: Target-based policy: WINDOWS daemon.log.0:Apr 16 20:58:11 thunder snort[5993]: Target-based policy: WINDOWS daemon.log.0:Apr 16 20:58:18 thunder snort[5993]: database:inconsistentcid information for sid=1 daemon.log.0:Apr 16 21:35:48 thunder snort[5967]: Target-based policy: WINDOWS daemon.log.0:Apr 16 21:35:55 thunder snort[5967]: database:inconsistentcid information for sid=1------------------------------------------------------------------------------Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users # " This e-mail and any attached documents may contain confidential orproprietary information. If you are not the intended recipient, please advise the sender immediately and delete this e-mail and all attached documents from your computer system. Any unauthorised disclosure, distribution or copying hereof is prohibited."" Ce courriel et les documents qui y sont attaches peuvent contenirdesinformations confidentielles. Si vous n'etes pas le destinataireescompte,merci d'en informer l'expediteur immediatement et de detruire ce courriel ainsi que tous les documents attaches de votre systeme informatique.Toutedivulgation, distribution ou copie du present courriel et des documents attaches sans autorisation prealable de son emetteur est interdite."#------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- joel esler | Sourcefire | gtalk: jesler () sourcefire com | 302-223-5974
------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: R: v2.8.4 incorrect logging to MySQL: PATCH, (continued)
- Re: R: v2.8.4 incorrect logging to MySQL: PATCH Stephen Reese (Apr 13)
- Re: R: v2.8.4 incorrect logging to MySQL: PATCH Jason Wallace (Apr 14)
- Re: R: v2.8.4 incorrect logging to MySQL: PATCH Todd Wease (Apr 14)
- Re: R: v2.8.4 incorrect logging to MySQL: PATCH Jason Wallace (Apr 14)
- view alerts in base David Kingsly (Apr 19)
- Re: view alerts in base David Kingsly (Apr 19)
- Re: view alerts in base Lee Clemens (Apr 20)
- Re: view alerts in base David Kingsly (Apr 21)
- Re: view alerts in base Paul Schmehl (Apr 21)
- Re: view alerts in base David Kingsly (Apr 22)
- Re: view alerts in base Joel Esler (Apr 22)
- Message not available
- Re: view alerts in base John Gay (Apr 20)
- Re: view alerts in base David Kingsly (Apr 21)
- Re: view alerts in base Paul Schmehl (Apr 21)
- Re: view alerts in base Dominique Karg (Apr 22)
- Re: view alerts in base David Kingsly (Apr 22)
- Re: view alerts in base Joel Esler (Apr 22)
- Re: view alerts in base Leon Ward (Apr 22)
- Re: view alerts in base Randal T. Rioux (Apr 22)
- Re: view alerts in base Joel Esler (Apr 22)
- Re: view alerts in base Seth Art (Apr 22)