[Snort-users] view alerts in base

Paul Schmehl pschmehl_lists at ...14358...
Tue Apr 21 22:38:17 EDT 2009


--On April 21, 2009 8:45:01 PM -0500 David Kingsly 
<davidkingsly at ...3147...> wrote:

>
> So even though I see alerts in mysql, the issue is between snort 2.8.4
> and mysql?  Not between BASE and mysql?  From looking at my tables
> before I installed BASE, and after I see that BASE added some items.  I
> just don't get why alerts are not collected.  I'll look at barnyard
> documentation. Thank you.  I do not have ACID installed. The procedures
> that I am following on Ubuntu do not call for it.

The name acid is a legacy from the software that BASE is derived from.

Here's my operational system:

mysql> select count(*) from event;
+----------+
| count(*) |
+----------+
|     6881 |
+----------+
1 row in set (0.00 sec)

mysql> select count(*) from acid_event;
+----------+
| count(*) |
+----------+
|     6880 |
+----------+
1 row in set (0.00 sec)

As you can see the number of alerts is different.  Whether snort feeds 
mysql directly *or* barnyard parses the unified format and feeds mysql, 
the result is the same - events are entered into the *snort* database. 
The BASE install adds the four acid_* tables.  Those tables are fed by 
base, not by snort or barnyard.  So, if the snort db event table has 
entries but the acid_event table does not, the problem is BASE not snort, 
mysql or barnyard.

Check your BASE configuration.  There is something wrong with it.  It 
could be the username, password, hostname or something else, but BASE is 
not connecting to the db to parse the events and populate its tables.

There is a section that looks like this:

$alert_dbname   = 'snort';
$alert_host     = 'localhost';
$alert_port     = '';
$alert_user     = 'snort';
$alert_password = 'password';

That section *must* match the dbname of your db plus the correct port 
plust the correct user and password or base will not function correctly. 
If localhost doesn't work, use 127.0.0.1.  (Localhost *should* be defined 
in your hosts file, but many people miss that detail.  In that case, 
localhost does not resolve to 127.0.0.1.)

If you have logging enabled in mysql, you should be able to see the errors 
and figure out why it's not working.

If it's working correctly, you should see entries like this:

090418  0:04:15     280 Init DB     snort
                    280 Query       SELECT vseq FROM `schema`
                    280 Init DB     snort
                    280 Query       SELECT vseq FROM `schema`
                    280 Query       SELECT ip_src FROM iphdr LIMIT 0, 1
                    280 Query       SHOW TABLES
                    280 Query       SHOW TABLES
                    280 Query       SHOW TABLES
                    280 Query       SHOW TABLES
                    280 Query       SHOW TABLES
                    280 Query       SHOW TABLES
                    280 Query       SELECT count(*) FROM sensor
                    280 Query       SELECT sid FROM sensor
                    280 Query       SELECT MAX(cid) FROM event WHERE 
sid='1'
                    280 Query       SELECT MAX(cid) FROM acid_event WHERE 
sid='1'
                    280 Query       SELECT count(*) FROM acid_event where 
sid = '1'
                    280 Query       INSERT INTO acid_event 
(sid,cid,signature,timestamp,
                             ip_src,ip_dst,ip_proto,
                             layer4_sport,layer4_dport,
                             sig_name, sig_priority, sig_class_id)

Note that a SELECT on the event table is followed by an INSERT into 
acid_event.  That is done by BASE (when it's working correctly.)

Paul Schmehl, If it isn't already
obvious, my opinions are my own
and not those of my employer.
******************************************
WARNING: Check the headers before replying





More information about the Snort-users mailing list