[Snort-users] RE: Barnyard not inserting on ACID tables in MySQL, just regular
pedro.fortuna at ...11827...
Wed Sep 1 23:30:01 EDT 2004
I've just took a peek at my two "blank" snort databases that I
attempted to get working with barnyard, and this is strange... but the
sensor table is completly empty in both..... so, there couldn't be a
last_cid field... this means that barnyard fails to create new sensor
entrys... anyway, it seems there's a bug laying here in barnyard...
On Thu, 2 Sep 2004 12:53:33 +0900, Basselgia, Barry A Mr (NAF Atsugi)
<babasselgia at ...12104...> wrote:
> I had a similar problem. Tracked it down to the sensor table. If Barnyard
> is logging to a new snort/acid database, this table doesn't seem to get
> populated. If snort outputs directly to the database, it populates this
> table and the field last_cid is updated by snort. For some reason barnyard
> doesn't seem to populate this table or updating the last_cid field.
> I inserted records for each of my sensors into this table manually. After
> that everything acid starting displaying all the alerts that barnyard had
> inserted into the database.
> -----Original Message-----
> Date: Wed, 1 Sep 2004 19:06:43 +0100
> From: Pedro Fortuna <pedro.fortuna at ...11827...>
> Reply-To: Pedro Fortuna <pedro.fortuna at ...11827...>
> To: Dirk Geschke <dirk_geschke at ...1344...>
> Cc: snort-users at lists.sourceforge.net, barnyard-users at lists.sourceforge.net
> Subject: [Barnyard-users] Re: [Snort-users] Barnyard not inserting on ACID
> tables in MySQL, just regular snort ones
> You're right! Thanks Dirk! Acid tables are only populated by Acid
> itself. I've just double checked the mysqld log.
> I managed to get snort-barnyard-acid working. I told barnyard to log
> to the old mysql DB (the one that snort was inserting directly, prior
> to this setup), changed acid to work with the old DB, and it begun
> working... why ? I don't know... I don't have any clue...
> Both old and newest DBs were created like this:
> - created blank database,
> - create snort mysql user
> - Give permissions to user,
> - snort's "contrib/create_mysql" script,
> - contrib/snortdb-extra.gz,
> - and finally the acid tables are created by Acid (setup option).
> Anyway, now its working with the old DB, but two things are bodering me:
> - ACID isn't showing my custom rule's description, it just shows
> something like this in the alert "Snort Alert [1:1000002:0]" (1000002
> is the rule ID)
> - The events time are one our late! An event at 3am shows 2am.
> If someone has a clue why Acid failed to insert the events in its tables
> (_using_ the blank DB) please say something, so that I can test it.
> Pedro Fortuna
> On Wed, 01 Sep 2004 09:44:20 +0200, Dirk Geschke <dirk_geschke at ...1344...>
> > Hi Pedro,
> > > I don't know why, but barnyard is not inserting on ACID tables in
> > > MySQL, and ACID does not show any alert.
> > >
> > > I'm pretty sure of:
> > > - snort is logging alerts correctly to unified log files
> > > - barnyard is being able to read them and...
> > > - ... it is connecting to mysql correctly and....
> > > - it is inserting only on tables event,iphdr,tcphdr,data
> > >
> > > Don't know why:
> > > - barnyard is not inserting on acid specific tables (it must be
> > > because of this that ACID does not shows anything!)
> > that is easy to explain: Only ACID fills the acid tables...
> > The acid output plugin of barnyard is used to fill the database
> > scheme which is used by acid. The acid tables are extensions made
> > by acid to the database and is mainly used for caching or building
> > up alert groups within acid.
> > So don't blame barnyard for this...
> > Best regards
> > Dirk
> This message has been scanned for viruses and dangerous
> content by the NAF Atsugi MailScanner.
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> Barnyard-users mailing list
> Barnyard-users at lists.sourceforge.net
More information about the Snort-users