[Snort-users] Barnyard not inserting on ACID tables in MySQL, just regular snort ones

Pedro Fortuna pedro.fortuna at ...11827...
Thu Sep 2 02:39:21 EDT 2004


On Thu, 02 Sep 2004 09:24:31 +0100, Alex Butcher, ISC/ISYS
<alex.butcher at ...11254...> wrote:
> 
> 
> --On 01 September 2004 19:06 +0100 Pedro Fortuna <pedro.fortuna at ...11827...>
> wrote:
> 
> > Anyway, now its working with the old DB, but two things are bodering me:
> > - ACID isn't showing my custom rule's description, it just shows
> > something like this in the alert "Snort Alert [1:1000002:0]" (1000002
> > is the rule ID)
> 
> I had this problem when I was using mudpit, and mudpit couldn't find
> sid-msg.map and gen-msg.map. I haven't used barnyard, and I'm using FLoP
> now, but maybe your problem has the same root.
Well, the rules that werent showing up the descriptiont were my custom
rules. I didnt knew I must also add the description to sid-msg.map.
Thats understood now.

> 
> > - The events time are one our late! An event at 3am shows 2am.
> 
> Probably a timezone or daylight savings time thing; I think all events are
> logged as UTC (i.e. GMT+0). Are you in western Europe, by chance?
I'm on GMT+0 (London,Lisbon,... it seems we are in the same timezone),
but the thing is that my system "date" output (Ive only noticed this
now) shows something like this:
Thu Sep  2 10:13:02 WEST 2004

Shouldnt it say "GMT or UTC" ?
I try set it to GMT or UTC, but all it does is adding one hour, and
maintaining the "WEST":
# date --set="thu Sep 2 10:13:00 GMT 2004"
Thu Sep  2 11:13:00 WEST 2004 

So i set it up back to 10:13 WEST. I have to check this thing again later.

> 
> > If someone has a clue why Acid failed to insert the events in its tables
> > (_using_ the blank DB) please say something, so that I can test it.
> 
> Did you run create_acid_tbls_mysql.sql from the ACID distribution?
No, I used snortdb-extra.gz in snort distribution, which must be the
same thing.
The problem was barnyard related. A certain keyword in barnyard.conf
(i.e. sensor_id) caused it not to perform all database operations it
need to (e.g. create sensor entry in sensor table). So later, ACID
couldnt find any sensor entry in DB, , thus failling to see the
already inserted events.
Answer, removing the "sensor_id" from barnyard.conf resolves the
problem (tip from Dirk Geschke)
-Pedro Fortuna




More information about the Snort-users mailing list