[Snort-users] view alerts in base

David Kingsly davidkingsly at ...3147...
Tue Apr 21 21:40:03 EDT 2009


I can not do the query.  I see the table, but it does not work...
mysql> show tables;
+------------------+
| Tables_in_snort  |
+------------------+
| acid_ag          | 
| acid_ag_alert    | 
| acid_event       | 
| acid_ip_cache    | 
| base_roles       | 
| base_users       | 
| data             | 
| detail           | 
| encoding         | 
| event            | 
| icmphdr          | 
| iphdr            | 
| opt              | 
| reference        | 
| reference_system | 
| schema           | 
| sensor           | 
| sig_class        | 
| sig_reference    | 
| signature        | 
| tcphdr           | 
| udphdr           | 
+------------------+
22 rows in set (0.00 sec)

mysql> select * from 'schema';
ERROR 1064 (42000): You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right
syntax to use near ''schema'' at line 1
mysql> select * from schema;
ERROR 1064 (42000): You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right
syntax to use near 'schema' at line 1
mysql> select * from schema;
ERROR 1064 (42000): You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right
syntax to use near 'schema' at line 1
mysql> 



On Mon, 2009-04-20 at 17:19 -0400, Lee Clemens wrote:
> Can you send the output of
> 
> select * from `schema`;
> 
> 
> -----Original Message-----
> From: David Kingsly [mailto:davidkingsly at ...3147...] 
> Sent: Sunday, April 19, 2009 10:45 PM
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] view alerts in base
> 
> Just to add to this previous post.  I do not seem to have a sensor id in
> my table.  I saw some posts regarding this being the reason for alerts
> not showing up in BASE:
> mysql> show tables;
> +------------------+
> | Tables_in_snort  |
> +------------------+
> | acid_ag          | 
> | acid_ag_alert    | 
> | acid_event       | 
> | acid_ip_cache    | 
> | base_roles       | 
> | base_users       | 
> | data             | 
> | detail           | 
> | encoding         | 
> | event            | 
> | icmphdr          | 
> | iphdr            | 
> | opt              | 
> | reference        | 
> | reference_system | 
> | schema           | 
> | sensor           | 
> | sig_class        | 
> | sig_reference    | 
> | signature        | 
> | tcphdr           | 
> | udphdr           | 
> +------------------+
> 22 rows in set (0.00 sec)
> 
> mysql> select * from sensor;
> Empty set (0.00 sec)
> 
> I do however see alerts in the mysql database .
> 
> 
> On Sun, 2009-04-19 at 13:27 -0400, David Kingsly wrote:
> > Greetings-
> >   I see alerts in mysql and in alerts folder in /var/logs/snort.  But
> > base page is blank. I checked mysql by logging in using the same
> > account, and password, and I did select * on some tables.  But they do
> > not show up in Base.  Is there a log file I can look at?  How can find
> > out what is wrong please?  Here is some logs I suspect:
> > 
> > daemon.log:Apr 19 10:47:08 thunder snort[21347]:     Target-based
> > policy: WINDOWS 
> > daemon.log:Apr 19 10:47:14 thunder snort[21351]: database: inconsistent
> > cid information for sid=1 
> > daemon.log.0:Apr 12 12:04:26 thunder snort[20659]:     Target-based
> > policy: WINDOWS 
> > daemon.log.0:Apr 12 12:11:02 thunder snort[20755]:     Target-based
> > policy: WINDOWS 
> > daemon.log.0:Apr 12 12:13:04 thunder snort[20763]:     Target-based
> > policy: WINDOWS 
> > daemon.log.0:Apr 12 12:13:41 thunder snort[20962]:     Target-based
> > policy: WINDOWS 
> > daemon.log.0:Apr 12 15:23:24 thunder snort[29865]:     Target-based
> > policy: WINDOWS 
> > daemon.log.0:Apr 16 20:58:11 thunder snort[5993]:     Target-based
> > policy: WINDOWS 
> > daemon.log.0:Apr 16 20:58:18 thunder snort[5993]: database: inconsistent
> > cid information for sid=1 
> > daemon.log.0:Apr 16 21:35:48 thunder snort[5967]:     Target-based
> > policy: WINDOWS 
> > daemon.log.0:Apr 16 21:35:55 thunder snort[5967]: database: inconsistent
> > cid information for sid=1 
> > 
> > 
> > 
> >
> ----------------------------------------------------------------------------
> --
> > Stay on top of everything new and different, both inside and 
> > around Java (TM) technology - register by April 22, and save
> > $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
> > 300 plus technical and hands-on sessions. Register today. 
> > Use priority code J9JMT32. http://p.sf.net/sfu/p
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> > #
> > " This e-mail and any attached documents may contain confidential or
> proprietary information. If you are not the intended recipient, please
> advise the sender immediately and delete this e-mail and all attached
> documents from your computer system. Any unauthorised disclosure,
> distribution or copying hereof is prohibited."
> > 
> >  " Ce courriel et les documents qui y sont attaches peuvent contenir des
> informations confidentielles. Si vous n'etes  pas le destinataire escompte,
> merci d'en informer l'expediteur immediatement et de detruire ce courriel
> ainsi que tous les documents attaches de votre systeme informatique. Toute
> divulgation, distribution ou copie du present courriel et des documents
> attaches sans autorisation prealable de son emetteur est interdite."
> > #
> 
> 
> ----------------------------------------------------------------------------
> --
> Stay on top of everything new and different, both inside and 
> around Java (TM) technology - register by April 22, and save
> $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
> 300 plus technical and hands-on sessions. Register today. 
> Use priority code J9JMT32. http://p.sf.net/sfu/p
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 





More information about the Snort-users mailing list