Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort 1.9, RH 7.3 and Acid

From: "Beckett, Josh" <JBeckett () enviance com>
Date: Fri, 4 Oct 2002 14:17:46 -0700
From the 'create_mysql' script used to set up the db (as outlined in the

paper) --
***snip***
#1.17
CREATE TABLE schema ( vseq        INT      UNSIGNED NOT NULL,
                      ctime       DATETIME NOT NULL,
                      PRIMARY KEY (vseq));
INSERT INTO schema  (vseq, ctime) VALUES ('106', now());
***end snip***

Already at 1.06

J-

-----Original Message-----
From: Addam Schroll [mailto:addam () purdue edu] 
Sent: Friday, October 04, 2002 2:12 PM
To: Beckett, Josh
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort 1.9, RH 7.3 and Acid


The Snort database schema was modified about a month ago in the 1.9
branch.  The DB inserts may be failing when it attempts to mess with the
new last_cid field.  Try upgrading your schema to v106.  That may solve
your problem.  The instructions for upgrading follow.


From the Changelog:


2002-09-03  Roman Danyliw <roman () danyliw com>

       * src/output-plugin/spo_database.c

         - DB schema v106
         - Added the sensor.last_cid field to the schema so the
           database can store the last used cid for a given sensor.
           This field will ensure that a cid will never be reused.

           Upgrading from v105 -> v106 is as simple as:

           mysql> ALTER TABLE sensor ADD last_cid INT UNSIGNED NOT NULL;
           mysql> UPDATE schema SET vseq=106;

            psql> ALTER TABLE sensor ADD last_cid INT8;
            psql> UPDATE schema SET vseq=106;


Addam


On Fri, 2002-10-04 at 15:14, Beckett, Josh wrote:

Ok...I was excited by the announcement of 1.9 and went and did a dumb 
thing...upgraded right on a production box.  I did my initial setup 
using the doc from the snort website "Snort Installation Manual: 
Snort, MySQL and ACID on RedHat 7.3" (great doc, btw).

Every thing went fine relative to the upgrade, etc.  Compiled fine, 
used the new conf file and "current" rules set.  Snort seems to be 
running fine, but doesn't seem to want to log to ACID-MySQL.  As a 
troubleshooting measure, I set "log to file" on as well as log to db, 
I can see alerts going into a file, but not the db.  I've even gone 
and blown away the db's and re-set them up, using the steps outlined 
in the paper.  Still no joy.

I've triple checked the snort.conf file for silly things, like bad 
rules path, bad db password and user name and everything seems to be 
fine...still no alerts in the db, but alerts pop up in the file.  I've



even checked the configure.log to make sure that I compiled with the 
--with-mysql switch...good there.

Any other places to check, where I might be having a problem?

Thanks,
Josh


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: