RE: Snort 2.0.0 logging to MySQL, but nothing in ACID???

["Williams Jon" <WilliamsJonathan () JohnDeere com>]

Running both consoles in SQL trace mode lead me to look at the sensor
table.  On the console that isn't working, there are no entries in the
sensor table, but there are entries in it on the working console.

I had an "A Ha!" moment.  The sensor table on the broken box was missing
the last_cid column.  Don't know how that happened, as I know that I
didn't do anything related to that in the timeframe of the problem.
Putting the field back has corrected the issue.

Thanks.

Jon

-----Original Message-----
From: Kevin Johnson [mailto:kjohnson () secureideas net] 
Sent: Tuesday, October 19, 2004 6:09 PM
To: Williams Jon
Cc: Snort Users
Subject: Re: [Snort-users] Snort 2.0.0 logging to MySQL, but nothing in
ACID???

On Tue, 2004-10-19 at 16:29, Williams Jon wrote:
> I'm having a pretty bad brain fart.  Some time this morning, one of 
> our ACID consoles stopped working.  We've confirmed that all of our 
> sensors are seeing data and generating alerts, that the MySQL port is 
> open between all of the sensors and the DB server, that MySQL is 
> running and accepting connections on the port the sensors are 
> connecting to, and that the sensors are writing data to the database.
>
> When I go into ACID, it shows no alerts and no sensors, but if I click

> on the "Application cache and status" link, the Alert Information 
> Cache section shows the correct number of alerts under "Total Events".
> Clicking on "Repair Tables" and "Update Alert Cache" have no effect on

> the problem, nor did restarting the web server, MySQL server, and 
> rebooting the box.
>
> Fortunately, we've got a second DB server.  When we repointed the 
> sensors to the second server, everything works fine there.
>
> While I was logged into the box around the time that the problem 
> occurred, and there were no other users logged in at all since before 
> the problem, I have no clear recollection of any actions that had 
> anything to do with PHP, the web server, ACID, or MySQL.
>
> Any suggestions?  Any idea how I shot myself in the foot?
>
> Thanks.
>
> Jon

Hi-

If you access the original database server directly, are the alerts
still there?  Is there anything in the logs?  I would set the two below
variables in acid_conf.php if you can't find anything else....
        
        $sql_trace_mode = 0;
        $sql_trace_file = "";

Feel free to respond with any more information and I can try to help.
Kevin
-------------------
BASE Project Lead
http://sourceforge.net/projects/secureideas
The next step in IDS analysis!




-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users