[Snort-users] Barnyard not inserting on ACID tables in MySQL, just regular snort ones

Pedro Fortuna pedro.fortuna at ...11827...
Tue Aug 31 20:52:37 EDT 2004


Hello,

I don't know why, but barnyard is not inserting on ACID tables in
MySQL, and ACID does not show any alert.

I'm pretty sure of:
- snort is logging alerts correctly to unified log files
- barnyard is being able to read them and...
- ... it is connecting to mysql correctly and....
- it is inserting only on tables event,iphdr,tcphdr,data

Don't know why:
- barnyard is not inserting on acid specific tables (it must be
because of this that ACID does not shows anything!)

Here's an excerpt of MySQL query logs (concerning 1 single alert):
040901  4:29:15       1 Connect     snort at ...274... on barnyard2
                     1 Query       SELECT sig_id FROM signature WHERE sig_name=
'Snort Alert [1:1000002:0]' AND sig_rev=0 AND sig_sid=1000002
                     1 Query       INSERT INTO event(sid, cid, signature, times
tamp) VALUES('1', '11', '2', '2004-09-01 03:29:15')
                     1 Query       INSERT INTO iphdr(sid, cid, ip_src, ip_dst,
ip_proto, ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off, ip_ttl, ip_c
sum) VALUES('1', '11', '3246931459', '3575048132', '6', '4', '5', '0', '63', '26
381', '2', '0', '51', '9285')
                     1 Query       INSERT INTO tcphdr(sid, cid, tcp_sport, tcp_
dport, tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win, tcp_csum, tcp_urp
) VALUES('1', '11', '45825', '21', '4290730719', '2885246481', '8', '0', '24', '
5840', '6608', '0')
                     1 Query       INSERT INTO data(sid, cid, data_payload) VAL
UES('1', '11', '5553455220726F6F740D0A')
-------------------------------

My config is very simple.
Snort.conf:
output alert_syslog: LOG_AUTH LOG_ALERT
output log_unified: filename snort.log, limit 128

barnyard.conf:
output log_acid_db: mysql, sensor_id 1, database barnyard2, server
localhost, user snort, password XXXXXXX, detail full

Please help!
Thanks
-pfeito




More information about the Snort-users mailing list