Snort mailing list archives
RE: Barnyard not inserting on ACID tables in MySQL, just regular
From: Pedro Fortuna <pedro.fortuna () gmail com>
Date: Thu, 2 Sep 2004 07:29:19 +0100
I've just took a peek at my two "blank" snort databases that I attempted to get working with barnyard, and this is strange... but the sensor table is completly empty in both..... so, there couldn't be a last_cid field... this means that barnyard fails to create new sensor entrys... anyway, it seems there's a bug laying here in barnyard... Pedro Fortuna On Thu, 2 Sep 2004 12:53:33 +0900, Basselgia, Barry A Mr (NAF Atsugi) <babasselgia () atsugi navy mil> wrote:
Pedro, I had a similar problem. Tracked it down to the sensor table. If Barnyard is logging to a new snort/acid database, this table doesn't seem to get populated. If snort outputs directly to the database, it populates this table and the field last_cid is updated by snort. For some reason barnyard doesn't seem to populate this table or updating the last_cid field. I inserted records for each of my sensors into this table manually. After that everything acid starting displaying all the alerts that barnyard had inserted into the database. Barry -----Original Message----- Date: Wed, 1 Sep 2004 19:06:43 +0100 From: Pedro Fortuna <pedro.fortuna () gmail com> Reply-To: Pedro Fortuna <pedro.fortuna () gmail com> To: Dirk Geschke <dirk_geschke () genua de> Cc: snort-users () lists sourceforge net, barnyard-users () lists sourceforge net Subject: [Barnyard-users] Re: [Snort-users] Barnyard not inserting on ACID tables in MySQL, just regular snort ones Hello, You're right! Thanks Dirk! Acid tables are only populated by Acid itself. I've just double checked the mysqld log. I managed to get snort-barnyard-acid working. I told barnyard to log to the old mysql DB (the one that snort was inserting directly, prior to this setup), changed acid to work with the old DB, and it begun working... why ? I don't know... I don't have any clue... Both old and newest DBs were created like this: - created blank database, - create snort mysql user - Give permissions to user, - snort's "contrib/create_mysql" script, - contrib/snortdb-extra.gz, - and finally the acid tables are created by Acid (setup option). Anyway, now its working with the old DB, but two things are bodering me: - ACID isn't showing my custom rule's description, it just shows something like this in the alert "Snort Alert [1:1000002:0]" (1000002 is the rule ID) - The events time are one our late! An event at 3am shows 2am. If someone has a clue why Acid failed to insert the events in its tables (_using_ the blank DB) please say something, so that I can test it. Thanks, Pedro Fortuna On Wed, 01 Sep 2004 09:44:20 +0200, Dirk Geschke <dirk_geschke () genua de> wrote:Hi Pedro,I don't know why, but barnyard is not inserting on ACID tables in MySQL, and ACID does not show any alert. I'm pretty sure of: - snort is logging alerts correctly to unified log files - barnyard is being able to read them and... - ... it is connecting to mysql correctly and.... - it is inserting only on tables event,iphdr,tcphdr,data Don't know why: - barnyard is not inserting on acid specific tables (it must be because of this that ACID does not shows anything!)that is easy to explain: Only ACID fills the acid tables... The acid output plugin of barnyard is used to fill the database scheme which is used by acid. The acid tables are extensions made by acid to the database and is mainly used for caching or building up alert groups within acid. So don't blame barnyard for this... Best regards Dirk--------------------------------------------------------- This message has been scanned for viruses and dangerous content by the NAF Atsugi MailScanner. ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click _______________________________________________ Barnyard-users mailing list Barnyard-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/barnyard-users
------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Barnyard not inserting on ACID tables in MySQL, just regular Pedro Fortuna (Sep 02)
- Re: RE: Barnyard not inserting on ACID tables in MySQL, just regular Dirk Geschke (Sep 02)
- Re: RE: Barnyard not inserting on ACID tables in MySQL, just regular Pedro Fortuna (Sep 02)
- Re: RE: Barnyard not inserting on ACID tables in MySQL, just regular Dirk Geschke (Sep 02)
- Re: RE: Barnyard not inserting on ACID tables in MySQL, just regular Pedro Fortuna (Sep 02)
- Re: RE: Barnyard not inserting on ACID tables in MySQL, just regular Dirk Geschke (Sep 02)