Snort mailing list archives

RE: ACID Alert Cache Empty

From: Kevin Brown <Kevin.M.Brown () asu edu>
Date: Mon, 22 Jul 2002 09:29:49 -0700
Well I still haven't been able to isolate the cause of this problem.  Near
the end of last weeks archive ACID started moving some of the alerts into
the alert cache.  Unfortunately only 600,000 of the nearly 1.4 million
alerts were moved to the cache.  This weeks current alerts are again not
being moved to the cache.  I don't know what broke it other than possibly
moving up to schema 105 of the database.

P.S.  Just went through the weekly archives and sure enough the cache
stopped pulling all the alerts up into it after moving to schema 105.  Only
reason I did move up was because snort complained about schema 104.

-----Original Message-----
From: Imran William Smith
To: Kevin Brown
Cc: 'Snort-users '
Sent: 7/21/02 4:49 PM
Subject: Re: [Snort-users] ACID Alert Cache Empty

IT's not a single function, it's about 5 inserts, 1 for TCP, 1 for UDP,
etc.
I think it's acid_cache.inc
 
You'll still need to implement something similar to the below algorithm
if you
want it to run exactly how acid does it at the moment.  Or at least,
make sure
you do it sensor by sensor.
 
I'd be grateful if you let me know what the cause was...
 
Imran
 
--
Imran William Smith
Security Products Development
Mimos Bhd, Malaysia
 
 
 

----- Original Message ----- 
From: Kevin  <mailto:Kevin.M.Brown () asu edu> Brown 
To: 'Imran William Smith ' <mailto:iwsmith () mimos my>  ; 'Kevin Brown
<mailto:Kevin.M.Brown () asu edu> ' 
Cc: 'Snort-users ' <mailto:Snort-users () lists sourceforge net>  
Sent: Friday, July 19, 2002 11:23 PM
Subject: RE: [Snort-users] ACID Alert Cache Empty


Sorry, should have been more clear.  I dropped the ACID cache and event
tables from the mysql command prompt (drop table <table name>), then
went to the PHP frontend and it remade the tables from the script that
came with ACID (create_acid_tbls_mysql.sql).  Still no data is being
propogated from the event table (which has continued to grow) to the
acid_event table.  I guess I'll try to find the function in ACID that
updates the ACID cache tables and see if I can run it from the mysql
prompt on the server.

-----Original Message----- 
From: Imran William Smith 
To: Kevin Brown 
Cc: Snort-users 
Sent: 7/18/02 6:15 PM 
Subject: Re: [Snort-users] ACID Alert Cache Empty 

The algorithm acid uses is something like 
  
for each sensor 
    get highest sid in acid_event table     -> (call it 
acid_event_max_sid) 
  
    for all rows in event where event.sid > acid_event_max_sid 
        insert corresponding rows into acid_event 
    end for 
end for 
  
This all has to happen this way, because MySQL does not handle the 
where not exists (subquery) structure, which would mean the whole thing 
could 
be done in a single query. 
  
  
So my guess is some auto-increment problem is stopping the insert 
happening, 
Acid somehow thinks acid_event is already full.  You could try dropping 
and recreate the 
acid_event table.  That might probably solve it.  Because when you 
say 'rebuilding', I presume you mean 'rebuilding' in the frontend, 
rather than a 
drop ; create operation.  So you've totally reset the snort schema, but 
not the acid 
schema. 
  
  
  
-- 
Imran William Smith 
Security Products Development 
Mimos Bhd, Malaysia 
  
  
  

----- Original Message ----- 
From: Kevin  < mailto:Kevin.M.Brown () asu edu
<mailto:Kevin.M.Brown () asu edu> > Brown 
To: 'snort-users () lists sourceforge net' 
< mailto:'snort-users () lists sourceforge net'
<mailto:'snort-users () lists sourceforge net'> >  
Sent: Friday, July 19, 2002 12:57 AM 
Subject: [Snort-users] ACID Alert Cache Empty 


An issue seems to have popped up this week with Snort (1.9-dev from CVS)

and ACID (0.9.6b22). 

MySQL Server setup: 
ACID 0.9.6b22 
MySQL 3.23.51 
Schema 105 
ADODB 2.12 

Last week worked fine.  Snort was logging to the MySQL server and ACID 
would properly update the cache with the new events.  This week it is 
properly logging to the db, but ACID won't update the cache of events. 

What happens (and this has been working for almost a year) is that on 
Sunday night the old database is moved to a new folder and a new snort 
database (completely empty) is put into place by rerunning the db schema

creation script (create_mysql). 

I have tried deleting the ACID cache tables and rebuilding them, but it 
still didn't update the chache with the now over 700,000 alerts.  I can 
go to the "Cache and Status" page and see that the database has has a 
large number of alerts, but it shows 0 for the cached events.  Hit 
update alert cache and it adds 0 alerts to the cache.  Repair tables 
doesn't seem to do anything, nor does Rebuild Alert Cache from the same 
page. 

No software has been changed while I was gone. 

Any other suggestions?
Current thread:

ACID Alert Cache Empty Kevin Brown (Jul 18)
- Re: ACID Alert Cache Empty Imran William Smith (Jul 18)
- <Possible follow-ups>
- RE: ACID Alert Cache Empty Kevin Brown (Jul 19)
  - Re: ACID Alert Cache Empty Imran William Smith (Jul 21)
- RE: ACID Alert Cache Empty Kevin Brown (Jul 22)
- RE: ACID Alert Cache Empty Kevin Brown (Jul 24)