[Snort-users] Snort data not being populated to Acid

pfeito pfeito at ...3422...
Tue Aug 31 21:32:14 EDT 2004


I've just had this problem also. In my case, I was trying to set up
barnyard, so I prepared a new blanked database for barnyard to use. 

After that Acid was showing nothing! I verified that barnyard was inserting
on some tables but not on Acid one's.... the lines below are taken from
mysql query log.

040901  5:16:41      77 Query       SELECT sig_id FROM signature WHERE
sig_name='Snort Alert [1:1000002:0]' AND sig_rev=0 A$
                     77 Query       INSERT INTO event(sid, cid, signature,
timestamp) VALUES('1', '458', '28', '2004-09-01 $
                     77 Query       INSERT INTO iphdr(sid, cid, ip_src,
ip_dst, ip_proto, ip_ver, ip_hlen, ip_tos, ip_len, $
                     77 Query       INSERT INTO tcphdr(sid, cid, tcp_sport,
tcp_dport, tcp_seq, tcp_ack, tcp_off, tcp_res, $
                     77 Query       INSERT INTO data(sid, cid, data_payload)
VALUES('1', '458', '5553455220726F6F740D0A')

After exausting all my clues, I configured barnyard to insert to the
original database, the one that I was using till the moment I begun playing
with barnyard, and I was surprised to see that barnyard was correctly
inserting in all tables! Don't know what the hell made the difference, but
it begun working. Maybe this is strange bug.... caused by acid tables being
empty, but that alone.... can't be it..

The only minor problem I saw later is that ACID isn’t showing my custom
rule's description, it just shows something like this in the alert Snort
Alert [1:1000002:0] (you can see it also in the SQL log lines above). It
does not get the sig_name right...

Bottomline, I manage to get it working, but don’t know the exact reason,
maybe it’s a bug

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-
> admin at lists.sourceforge.net] On Behalf Of Jose Maria Lopez
> Sent: domingo, 29 de Agosto de 2004 18:04
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Snort data not being populated to Acid
> El dom, 29 de 08 de 2004 a las 16:10, Jeff Heckart escribió:
> > Hello,
> > I just setup snort 2.2.0, and am trying to get ACID working.  I
> currently have events sitting in the snort event table, but I have no
> data in acid.  I have granted my db user account admin.
> > What could I be overlooking?
> >
> > Thanks,
> > Jeff
> I suppose you have created the tables correctly and you have the correct
> data in the config file to connect to the database, so if all seems
> right you should use something like ethereal to see if data it's
> being sent from the snort daemon to the database daemon. Also you can
> check the database logs and the snort logs for errors.
> --
> Jose Maria Lopez Hernandez
> Director Tecnico de bgSEC
> jkerouac at ...12346...
> bgSEC Seguridad y Consultoria de Sistemas Informaticos
> http://www.bgsec.com
> The only people for me are the mad ones -- the ones who are mad to live,
> mad to talk, mad to be saved, desirous of everything at the same time,
> the ones who never yawn or say a commonplace thing, but burn, burn, burn
> like fabulous yellow Roman candles.
>                 -- Jack Kerouac, "On the Road"
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_idP47&alloc_id808&op=ick
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=ort-users

More information about the Snort-users mailing list