Snort mailing list archives

Re: Snort and ACID - how to determine if logging is happening correctly

From: Timothy W Morrison <morriswt () us ibm com>
Date: Mon, 7 Jun 2004 14:33:28 -0500

Jeff, 
I am having this exact same problem where its logging to the database but 
not in ACID. Have you made any progress on this?

Regards,

Tim Morrison



"Jeff Schmidt (CACL Tech Asst)" <schmidje () oplin org> 
Sent by: snort-users-admin () lists sourceforge net
06/04/2004 01:47 PM

To
snort-users () lists sourceforge net
cc

Subject
[Snort-users] Snort and ACID - how to determine if logging is happening 
correctly






Hello,
   I'm trying to get Snort, Barnyard, MySQL, and ACID all working 
together. I'm having a problem, that I suspect is a problem with ACID, 
not Snort, but I'm wondering how to tell if barnyard is correctly 
logging information to the mysql database? The problem I have with ACID 
is that when I view acid_main.php it *always* tells me there are 0 
alerts in the database.

I've tried the following:

mysql> select count(*) from event;
+----------+
| count(*) |
+----------+
|     2963 |
+----------+

mysql> select * from iphdr order by rand() limit 3;
+-----+------+-----------+------------+--------+---------+--------+--------+-------+----------+--------+--------+----------+---------+
| sid | cid  | ip_src    | ip_dst     | ip_ver | ip_hlen | ip_tos | 
ip_len | ip_id | ip_flags | ip_off | ip_ttl | ip_proto | ip_csum |
+-----+------+-----------+------------+--------+---------+--------+--------+-------+----------+--------+--------+----------+---------+
|   1 | 2368 | 167838071 | 4294967295 |   NULL |    NULL |   NULL | 
NULL |  NULL |     NULL |   NULL |   NULL |       17 |    NULL |
|   1 | 2060 | 167838071 | 4294967295 |   NULL |    NULL |   NULL | 
NULL |  NULL |     NULL |   NULL |   NULL |       17 |    NULL |
|   1 | 1320 | 167838071 | 4294967295 |   NULL |    NULL |   NULL | 
NULL |  NULL |     NULL |   NULL |   NULL |       17 |    NULL |
+-----+------+-----------+------------+--------+---------+--------+--------+-------+----------+--------+--------+----------+---------+
3 rows in set (0.06 sec)

mysql> select * from data order by rand() limit 3;
Empty set (0.00 sec)

mysql> select * from event order by rand() limit 3;
+-----+------+-----------+---------------------+
| sid | cid  | signature | timestamp           |
+-----+------+-----------+---------------------+
|   1 | 1273 |         1 | 2004-06-03 15:28:55 |
|   1 |  494 |         1 | 2004-06-03 16:24:51 |
|   1 |  423 |         1 | 2004-06-03 15:34:55 |
+-----+------+-----------+---------------------+
3 rows in set (0.04 sec)

mysql> select * from detail order by rand() limit 3;
+-------------+-------------+
| detail_type | detail_text |
+-------------+-------------+
|           1 | full        |
|           0 | fast        |
+-------------+-------------+
2 rows in set (0.31 sec)

mysql> select * from icmphdr order by rand() limit 3;
+-----+------+-----------+-----------+-----------+---------+----------+
| sid | cid  | icmp_type | icmp_code | icmp_csum | icmp_id | icmp_seq |
+-----+------+-----------+-----------+-----------+---------+----------+
|   1 |  976 |         3 |         3 |      NULL |    NULL |     NULL |
|   1 | 1835 |         3 |         3 |      NULL |    NULL |     NULL |
|   1 | 2948 |         3 |         3 |      NULL |    NULL |     NULL |
+-----+------+-----------+-----------+-----------+---------+----------+
3 rows in set (0.02 sec)

mysql> select * from udphdr order by rand() limit 3;
+-----+------+-----------+-----------+---------+----------+
| sid | cid  | udp_sport | udp_dport | udp_len | udp_csum |
+-----+------+-----------+-----------+---------+----------+
|   1 | 2311 |       162 |       162 |    NULL |     NULL |
|   1 |    9 |       162 |       162 |    NULL |     NULL |
|   1 | 2121 |       162 |       162 |    NULL |     NULL |
+-----+------+-----------+-----------+---------+----------+
3 rows in set (0.03 sec)

mysql> \q

-------------------------------------------------------


It looks like at least *some* information is getting sent to the 
database, but I see an awful lot of NULLs, which makes me think some of 
the info is not getting correctly logged to the alert database.

Can anyone help me on this?

Jeff Schmidt




-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.

From Windows to Linux, servers to mobile, InstallShield X is the one

installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort and ACID - how to determine if logging is happening correctly Jeff Schmidt (CACL Tech Asst) (Jun 04)
- Re: Snort and ACID - how to determine if logging is happening correctly Timothy W Morrison (Jun 07)