[Snort-users] ACID Alert Cache Empty

Imran William Smith iwsmith at ...487...
Thu Jul 18 18:16:02 EDT 2002

ACID Alert Cache EmptyThe algorithm acid uses is something like

for each sensor
    get highest sid in acid_event table     -> (call it acid_event_max_sid)

    for all rows in event where event.sid > acid_event_max_sid
        insert corresponding rows into acid_event
    end for
end for

This all has to happen this way, because MySQL does not handle the
where not exists (subquery) structure, which would mean the whole thing could
be done in a single query.

So my guess is some auto-increment problem is stopping the insert happening,
Acid somehow thinks acid_event is already full.  You could try dropping and recreate the
acid_event table.  That might probably solve it.  Because when you
say 'rebuilding', I presume you mean 'rebuilding' in the frontend, rather than a 
drop ; create operation.  So you've totally reset the snort schema, but not the acid

Imran William Smith
Security Products Development
Mimos Bhd, Malaysia

  ----- Original Message ----- 
  From: Kevin Brown 
  To: 'snort-users at lists.sourceforge.net' 
  Sent: Friday, July 19, 2002 12:57 AM
  Subject: [Snort-users] ACID Alert Cache Empty

  An issue seems to have popped up this week with Snort (1.9-dev from CVS) and ACID (0.9.6b22). 

  MySQL Server setup: 
  ACID 0.9.6b22 
  MySQL 3.23.51 
  Schema 105 
  ADODB 2.12 

  Last week worked fine.  Snort was logging to the MySQL server and ACID would properly update the cache with the new events.  This week it is properly logging to the db, but ACID won't update the cache of events.

  What happens (and this has been working for almost a year) is that on Sunday night the old database is moved to a new folder and a new snort database (completely empty) is put into place by rerunning the db schema creation script (create_mysql).

  I have tried deleting the ACID cache tables and rebuilding them, but it still didn't update the chache with the now over 700,000 alerts.  I can go to the "Cache and Status" page and see that the database has has a large number of alerts, but it shows 0 for the cached events.  Hit update alert cache and it adds 0 alerts to the cache.  Repair tables doesn't seem to do anything, nor does Rebuild Alert Cache from the same page.

  No software has been changed while I was gone. 

  Any other suggestions? 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020718/238c040f/attachment.html>

More information about the Snort-users mailing list