[Snort-users] Barnyard not inserting on ACID tables in MySQL, just regular snort ones
Alex Butcher, ISC/ISYS
Alex.Butcher at ...11254...
Thu Sep 2 05:10:02 EDT 2004
--On 02 September 2004 10:38 +0100 Pedro Fortuna <pedro.fortuna at ...11827...>
> On Thu, 02 Sep 2004 09:24:31 +0100, Alex Butcher, ISC/ISYS
> <alex.butcher at ...11254...> wrote:
>> --On 01 September 2004 19:06 +0100 Pedro Fortuna
>> <pedro.fortuna at ...11827...> wrote:
>> > Anyway, now its working with the old DB, but two things are bodering
>> > me: - ACID isn't showing my custom rule's description, it just shows
>> > something like this in the alert "Snort Alert [1:1000002:0]" (1000002
>> > is the rule ID)
>> I had this problem when I was using mudpit, and mudpit couldn't find
>> sid-msg.map and gen-msg.map. I haven't used barnyard, and I'm using FLoP
>> now, but maybe your problem has the same root.
> Well, the rules that werent showing up the descriptiont were my custom
> rules. I didnt knew I must also add the description to sid-msg.map.
> That's understood now.
Cool. Happy to help. If you trawl the list archives, you'll find a script
from me that rebuilds sid-msg.map.
>> > - The events time are one our late! An event at 3am shows 2am.
>> Probably a timezone or daylight savings time thing; I think all events
>> are logged as UTC (i.e. GMT+0). Are you in western Europe, by chance?
> I'm on GMT+0 (London,Lisbon,... it seems we are in the same timezone),
> but the thing is that my system "date" output (Ive only noticed this
> now) shows something like this:
> Thu Sep 2 10:13:02 WEST 2004
WEST (Western European Standard Time, presumably) is not the same thing as
GMT+0/UTC. UTC doesn't have daylight savings time (i.e. forward an hour at
the beginning of summer), WEST and GMT0BST do. So 10:13 GMT is actually
11:13 WEST/GMT0BST right now. In winter, 10:13 GMT will be 10:13
> Shouldn't it say "GMT or UTC" ?
> I try set it to GMT or UTC, but all it does is adding one hour, and
> maintaining the "WEST":
># date --set="thu Sep 2 10:13:00 GMT 2004"
> Thu Sep 2 11:13:00 WEST 2004
You need to play with your TZ environment variable. This is usually set in
the system initscripts somewhere. On Red Hat and derived distros, you can
run timeconfig as root to set it system-wide.
IMHO, logs are best stored with GMT+0 timestamps across your entire
enterprise, as this makes it easier to compare logs from different systems
(some of which will probably have broken or missing timezone support). This
is a common practice at ISPs, for instance.
> So i set it up back to 10:13 WEST. I have to check this thing again later.
>> > If someone has a clue why Acid failed to insert the events in its
>> > tables (_using_ the blank DB) please say something, so that I can test
>> > it.
>> Did you run create_acid_tbls_mysql.sql from the ACID distribution?
> No, I used snortdb-extra.gz in snort distribution, which must be the
> same thing.
No, it's not. Glad you've fixed the problem, anyway.
> -Pedro Fortuna
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
More information about the Snort-users