Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: view alerts in base

From: Juergen Leising <juergen.leising () gmx de>
Date: Wed, 22 Apr 2009 23:26:57 +0200
On Wed, Apr 22, 2009 at 07:44:10AM +0000, Paul Schmehl <pschmehl_lists () tx rr com> wrote:

(...)

Here's my operational system:

mysql> select count(*) from event;
+----------+
| count(*) |
+----------+
|     6881 |
+----------+
1 row in set (0.00 sec)

mysql> select count(*) from acid_event;
+----------+
| count(*) |
+----------+
|     6880 |
+----------+
1 row in set (0.00 sec)

As you can see the number of alerts is different.  Whether snort feeds  
mysql directly *or* barnyard parses the unified format and feeds mysql,  
the result is the same - events are entered into the *snort* database.  
The BASE install adds the four acid_* tables.  Those tables are fed by  
base, not by snort or barnyard.  So, if the snort db event table has  
entries but the acid_event table does not, the problem is BASE not snort, 
mysql or barnyard.

(...)

Hello Paul,

you are right, there was indeed a bug in BASE, that should now 
be fixed in current CVS:  None of those preprocessor alerts with
signature names that did NOT start with a "spp_" prefix found 
their way into acid_event, so far.  And from now on error messages 
appear for each event that does not get stored into acid_event.

Cf. http://sourceforge.net/scm/?type=cvs&group_id=103348

modulename would be "base-php4".  Or wait for the upcoming
BASE-1.4.2 release.

Bye, bye

Juergen



------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: