[Snort-users] Mysql is collecting data from snort, Acid won't display it.

Wally Bedford wbedford at ...4171...
Sun Feb 15 06:07:03 EST 2004


Looks like it is all running, but I'm pretty new to this.  I ran the
snort command on the sensor box with the -T command and it stated that
all was well.  I was having some database permission issues earlier,
that's squared away now.  The snort user and acid users have the proper
permissions on the snort and archive databases.  I'm wondering now if I
should kill the databases and reinvent them from the create script
again.  By the way, what table should contain the alert information?

Wally.

The /var/log/daemon from the sensor...


Feb 13 12:38:58 sniffy snort: OpenPcap() device fxp0 network lookup:
fxp0: no IPv4 address assigned
Feb 13 12:38:58 sniffy snort: Initializing daemon mode
Feb 13 12:38:58 sniffy snort: PID path stat checked out ok, PID path set
to /var/run/
Feb 13 12:38:58 sniffy snort: Writing PID "3976" to file
"/var/run//snort_fxp0.pid"
Feb 13 12:38:58 sniffy snort: http_decode arguments:
Feb 13 12:38:58 sniffy snort:     Unicode decoding
Feb 13 12:38:58 sniffy snort:     IIS alternate Unicode decoding
Feb 13 12:38:58 sniffy snort:     IIS double encoding vuln
Feb 13 12:38:58 sniffy snort:     Flip backslash to slash
Feb 13 12:38:58 sniffy snort:     Include additional whitespace
separators
Feb 13 12:38:58 sniffy snort:     Ports to decode http on: 80
Feb 13 12:38:58 sniffy snort: rpc_decode arguments:
Feb 13 12:38:58 sniffy snort:     Ports to decode RPC on: 111 32771
Feb 13 12:38:58 sniffy snort:     alert_fragments: INACTIVE
Feb 13 12:38:58 sniffy snort:     alert_large_fragments: ACTIVE
Feb 13 12:38:58 sniffy snort:     alert_incomplete: ACTIVE
Feb 13 12:38:58 sniffy snort:     alert_multiple_requests: ACTIVE
Feb 13 12:38:58 sniffy snort: telnet_decode arguments:
Feb 13 12:38:58 sniffy snort:     Ports to decode telnet on: 21 23 25
119
Feb 13 12:38:58 sniffy barnyard: Loading Data Processors...
Feb 13 12:38:58 sniffy barnyard: dp_alert loaded
Feb 13 12:38:58 sniffy barnyard: dp_log loaded
Feb 13 12:38:58 sniffy barnyard: dp_stream_stat loaded
Feb 13 12:38:58 sniffy barnyard: Loading Built-in Output Plugins...
Feb 13 12:38:58 sniffy barnyard: Fast Alert plugin initialized
Feb 13 12:38:58 sniffy barnyard: AlertSyslog initialized
Feb 13 12:38:58 sniffy barnyard: Log Dump plugin initialized
Feb 13 12:38:58 sniffy barnyard: LogPcap initialized
Feb 13 12:38:58 sniffy barnyard: AcidDb output plugin initialized
Feb 13 12:38:58 sniffy barnyard: AlertCSV initialized
Feb 13 12:38:58 sniffy barnyard: Parsing Config file:
/etc/snort/barnyard.conf
Feb 13 12:38:58 sniffy barnyard: Args: mysql, sensor_id 1, database
snort, server 127.0.0.1, user snort, password whateverword
Feb 13 12:38:58 sniffy barnyard: Args: mysql, sensor_id 1, database
snort, server 127.0.0.1, user snort, password whateverword, detail full
Feb 13 12:38:58 sniffy barnyard: Initializing daemon mode
Feb 13 12:38:59 sniffy barnyard: Barnyard Version 0.1.0 (Build 17)
started
Feb 13 12:38:59 sniffy barnyard: AcidDbOpStart
Feb 13 12:39:00 sniffy barnyard: OpAcidDB configuration details
Feb 13 12:39:00 sniffy barnyard: Database Flavour: mysql
Feb 13 12:39:00 sniffy barnyard: Detail Level: Full
Feb 13 12:39:00 sniffy barnyard: Database Server: 127.0.0.1
Feb 13 12:39:00 sniffy barnyard: Database User: snort
Feb 13 12:39:00 sniffy barnyard: SensorID: 1
Feb 13 12:39:00 sniffy barnyard: AcidDbOpStart Complete
Feb 13 12:39:08 sniffy snort: Snort initialization completed
successfully


Snort is collecting data...
-rw-------  1 root      snortman   980453 Feb 13 12:29
snort.log.1076622815
-rw-------  1 root      snortman  1935472 Feb 15 08:29
snort.log.1076693938


data in the mysql database...
mysql> select count(*) from data;
+----------+
| count(*) |
+----------+
|     9694 |
+----------+
1 row in set (0.00 sec)







-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Michael
Steele
Sent: Saturday, February 14, 2004 6:28 PM
To: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Mysql is collecting data from snort, Acid
won't display it.

Are you SURE snort is running? Are you SURE there are even any alerts in
the
alert.ids file. Are you SURE there are no error messages in your error
log
depicting what might be wrong?

Kindest regards, 

The WINSNORT.com Management Team
-- 
Pick up your FREE Windows or UNIX Snort installation guides       
mailto:support at ...9077...
Website: http://www.winsnort.com
Snort: Open Source Network IDS - http://www.snort.org


> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-
> admin at lists.sourceforge.net] On Behalf Of Wally Bedford
> Sent: Saturday, February 14, 2004 2:58 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Mysql is collecting data from snort, Acid won't
> display it.
> 
> I have a sensor with snort-2.0.0p1-mysql going to an acid console
> running mysql-server-3.23.57p1 and Acid version 0.9.6b23.
> 
> Acid opens without an error, and I went through the setup databases
> page.  All was fine.  I can see all sorts of alerts in the
> acid_maintenance.php page, which shows...
> 
> Alert Information Cache
> Total Events: 6256   Cached Events: 0
> 
> But no alerts show up.  The acid_main.php page shows...
> 
> Added 0 alert(s) to the Alert cache
> 
> Queried on : Fri February 13, 2004 16:16:30
> Database: snort at ...274...    (schema version: 106)
> Time window: no alerts detected
> 
> 
> My configuration is pretty vanilla, just basic changes to the
> acid_conf.php file to reflect the local setup.
> 
> Any ideas on where to look would sure be welcome,
> 
> Wally
> 
> 
> 
> 
> -------------------------------------------------------
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list