[Snort-users] Snort/Honeynet console database errors?

Dan Siff dsiff at ...12656...
Wed Nov 10 10:54:06 EST 2004


I have a question regarding porting snort events into the Honeynet security 
console (from Activeworx).  I am running Snort on a linux box (InMon is 
porting sflow data into Snort) and using ACID as a front end without any 
problems.  I'm now trying to get a Honeynet console set up on an adjacent 
Windows system, but have hit a snag that I have no idea how to fix.  I seem 
to have everything set up correctly regarding the Honeynet databases and 
permissions - the aw_hsc primary database seems OK, and the idsevents 
database that I set up to have Snort dump into seems to be working OK as 
well (tables are populating with data, seems normal).  The problem is when 
I go to view events in Honenet - there are no events.  Looking at the 
'Event Overview' I'm showing 620 events, 31 unique events.  The summary 
graphs all work, showing the breakdown of data.  It's just that when you 
try to look at the data, there's nothing there (such as clicking on 'Unique 
Events' should show you a list of events, instead it's blank, saying 'No 
Events').

I tried running a trace and discovered that there is apparently a database 
error, but I have no idea how to correct it.  I was hoping someone on this 
list might have run into this.  Here are the details:

When running a 'Unique Events' query, the initial MySQL requests all seem 
to go fine until this:

(mySQL request):
  SELECT CONCAT('2:', event.sid, ':', event.cid) AS 'Event 
ID',  CAST(signature.sig_priority AS CHAR) AS 'Priority', sig_name AS 
'Event Name', CAST(ip_proto AS CHAR) AS 'Protocol', INET_NTOA(iphdr.ip_src) 
AS 'Src IP', COALESCE(tcphdr.tcp_sport, udphdr.udp_sport) AS 'Src Port', '' 
AS 'Src Country', INET_NTOA(iphdr.ip_dst) AS 'Dst IP', 
COALESCE(tcphdr.tcp_dport, udphdr.udp_dport) AS 'Dst Port', sensor.hostname 
AS 'Sensor', event.timestamp AS 'Timestamp' FROM event LEFT JOIN signature 
ON (event.signature = signature.sig_id) LEFT JOIN sensor ON (event.sid = 
sensor.sid) LEFT JOIN iphdr ON ((event.cid = iphdr.cid) AND (event.sid = 
iphdr.sid)) LEFT JOIN tcphdr ON ((event.cid = tcphdr.cid) AND (event.sid = 
tcphdr.sid)) LEFT JOIN udphdr ON ((event.cid = udphdr.cid) AND (event.sid = 
udphdr.sid)) WHERE (event.sid = '1') ORDER BY event.timestamp DESC LIMIT 
1000 ‰

(mySQL response):
(You have an error in your SQL syntax near '(signature.sig_priority AS 
CHAR) AS 'Priority', sig_name AS 'Event Name', CAST(i' at line 1

The only thing I can decipher from this (this is a guess) is that sig_name 
falls under the signature table - so maybe it should be referenced as 
'signature.sig_name' instead of just 'sig_name' ?

If anyone can help, I would really appreciate any input.
Regards,
Dan Siff





More information about the Snort-users mailing list