[Snort-users] Snort/Honeynet console database errors?
dsiff at ...12656...
Wed Nov 10 10:54:06 EST 2004
I have a question regarding porting snort events into the Honeynet security
console (from Activeworx). I am running Snort on a linux box (InMon is
porting sflow data into Snort) and using ACID as a front end without any
problems. I'm now trying to get a Honeynet console set up on an adjacent
Windows system, but have hit a snag that I have no idea how to fix. I seem
to have everything set up correctly regarding the Honeynet databases and
permissions - the aw_hsc primary database seems OK, and the idsevents
database that I set up to have Snort dump into seems to be working OK as
well (tables are populating with data, seems normal). The problem is when
I go to view events in Honenet - there are no events. Looking at the
'Event Overview' I'm showing 620 events, 31 unique events. The summary
graphs all work, showing the breakdown of data. It's just that when you
try to look at the data, there's nothing there (such as clicking on 'Unique
Events' should show you a list of events, instead it's blank, saying 'No
I tried running a trace and discovered that there is apparently a database
error, but I have no idea how to correct it. I was hoping someone on this
list might have run into this. Here are the details:
When running a 'Unique Events' query, the initial MySQL requests all seem
to go fine until this:
SELECT CONCAT('2:', event.sid, ':', event.cid) AS 'Event
ID', CAST(signature.sig_priority AS CHAR) AS 'Priority', sig_name AS
'Event Name', CAST(ip_proto AS CHAR) AS 'Protocol', INET_NTOA(iphdr.ip_src)
AS 'Src IP', COALESCE(tcphdr.tcp_sport, udphdr.udp_sport) AS 'Src Port', ''
AS 'Src Country', INET_NTOA(iphdr.ip_dst) AS 'Dst IP',
COALESCE(tcphdr.tcp_dport, udphdr.udp_dport) AS 'Dst Port', sensor.hostname
AS 'Sensor', event.timestamp AS 'Timestamp' FROM event LEFT JOIN signature
ON (event.signature = signature.sig_id) LEFT JOIN sensor ON (event.sid =
sensor.sid) LEFT JOIN iphdr ON ((event.cid = iphdr.cid) AND (event.sid =
iphdr.sid)) LEFT JOIN tcphdr ON ((event.cid = tcphdr.cid) AND (event.sid =
tcphdr.sid)) LEFT JOIN udphdr ON ((event.cid = udphdr.cid) AND (event.sid =
udphdr.sid)) WHERE (event.sid = '1') ORDER BY event.timestamp DESC LIMIT
(You have an error in your SQL syntax near '(signature.sig_priority AS
CHAR) AS 'Priority', sig_name AS 'Event Name', CAST(i' at line 1
The only thing I can decipher from this (this is a guess) is that sig_name
falls under the signature table - so maybe it should be referenced as
'signature.sig_name' instead of just 'sig_name' ?
If anyone can help, I would really appreciate any input.
More information about the Snort-users