[Snort-users] view alerts in base

Joel Esler jesler at ...1935...
Wed Apr 22 07:51:34 EDT 2009


You have use "backticks" for the schema table.
select * from `schema`;

Joel

On Tue, Apr 21, 2009 at 9:40 PM, David Kingsly <davidkingsly at ...3147...>wrote:

> I can not do the query.  I see the table, but it does not work...
> mysql> show tables;
> +------------------+
> | Tables_in_snort  |
> +------------------+
> | acid_ag          |
> | acid_ag_alert    |
> | acid_event       |
> | acid_ip_cache    |
> | base_roles       |
> | base_users       |
> | data             |
> | detail           |
> | encoding         |
> | event            |
> | icmphdr          |
> | iphdr            |
> | opt              |
> | reference        |
> | reference_system |
> | schema           |
> | sensor           |
> | sig_class        |
> | sig_reference    |
> | signature        |
> | tcphdr           |
> | udphdr           |
> +------------------+
> 22 rows in set (0.00 sec)
>
> mysql> select * from 'schema';
> ERROR 1064 (42000): You have an error in your SQL syntax; check the
> manual that corresponds to your MySQL server version for the right
> syntax to use near ''schema'' at line 1
> mysql> select * from schema;
> ERROR 1064 (42000): You have an error in your SQL syntax; check the
> manual that corresponds to your MySQL server version for the right
> syntax to use near 'schema' at line 1
> mysql> select * from schema;
> ERROR 1064 (42000): You have an error in your SQL syntax; check the
> manual that corresponds to your MySQL server version for the right
> syntax to use near 'schema' at line 1
> mysql>
>
>
>
> On Mon, 2009-04-20 at 17:19 -0400, Lee Clemens wrote:
> > Can you send the output of
> >
> > select * from `schema`;
> >
> >
> > -----Original Message-----
> > From: David Kingsly [mailto:davidkingsly at ...3147...]
> > Sent: Sunday, April 19, 2009 10:45 PM
> > To: snort-users at lists.sourceforge.net
> > Subject: Re: [Snort-users] view alerts in base
> >
> > Just to add to this previous post.  I do not seem to have a sensor id in
> > my table.  I saw some posts regarding this being the reason for alerts
> > not showing up in BASE:
> > mysql> show tables;
> > +------------------+
> > | Tables_in_snort  |
> > +------------------+
> > | acid_ag          |
> > | acid_ag_alert    |
> > | acid_event       |
> > | acid_ip_cache    |
> > | base_roles       |
> > | base_users       |
> > | data             |
> > | detail           |
> > | encoding         |
> > | event            |
> > | icmphdr          |
> > | iphdr            |
> > | opt              |
> > | reference        |
> > | reference_system |
> > | schema           |
> > | sensor           |
> > | sig_class        |
> > | sig_reference    |
> > | signature        |
> > | tcphdr           |
> > | udphdr           |
> > +------------------+
> > 22 rows in set (0.00 sec)
> >
> > mysql> select * from sensor;
> > Empty set (0.00 sec)
> >
> > I do however see alerts in the mysql database .
> >
> >
> > On Sun, 2009-04-19 at 13:27 -0400, David Kingsly wrote:
> > > Greetings-
> > >   I see alerts in mysql and in alerts folder in /var/logs/snort.  But
> > > base page is blank. I checked mysql by logging in using the same
> > > account, and password, and I did select * on some tables.  But they do
> > > not show up in Base.  Is there a log file I can look at?  How can find
> > > out what is wrong please?  Here is some logs I suspect:
> > >
> > > daemon.log:Apr 19 10:47:08 thunder snort[21347]:     Target-based
> > > policy: WINDOWS
> > > daemon.log:Apr 19 10:47:14 thunder snort[21351]: database: inconsistent
> > > cid information for sid=1
> > > daemon.log.0:Apr 12 12:04:26 thunder snort[20659]:     Target-based
> > > policy: WINDOWS
> > > daemon.log.0:Apr 12 12:11:02 thunder snort[20755]:     Target-based
> > > policy: WINDOWS
> > > daemon.log.0:Apr 12 12:13:04 thunder snort[20763]:     Target-based
> > > policy: WINDOWS
> > > daemon.log.0:Apr 12 12:13:41 thunder snort[20962]:     Target-based
> > > policy: WINDOWS
> > > daemon.log.0:Apr 12 15:23:24 thunder snort[29865]:     Target-based
> > > policy: WINDOWS
> > > daemon.log.0:Apr 16 20:58:11 thunder snort[5993]:     Target-based
> > > policy: WINDOWS
> > > daemon.log.0:Apr 16 20:58:18 thunder snort[5993]: database:
> inconsistent
> > > cid information for sid=1
> > > daemon.log.0:Apr 16 21:35:48 thunder snort[5967]:     Target-based
> > > policy: WINDOWS
> > > daemon.log.0:Apr 16 21:35:55 thunder snort[5967]: database:
> inconsistent
> > > cid information for sid=1
> > >
> > >
> > >
> > >
> >
> ----------------------------------------------------------------------------
> > --
> > > Stay on top of everything new and different, both inside and
> > > around Java (TM) technology - register by April 22, and save
> > > $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
> > > 300 plus technical and hands-on sessions. Register today.
> > > Use priority code J9JMT32. http://p.sf.net/sfu/p
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > > #
> > > " This e-mail and any attached documents may contain confidential or
> > proprietary information. If you are not the intended recipient, please
> > advise the sender immediately and delete this e-mail and all attached
> > documents from your computer system. Any unauthorised disclosure,
> > distribution or copying hereof is prohibited."
> > >
> > >  " Ce courriel et les documents qui y sont attaches peuvent contenir
> des
> > informations confidentielles. Si vous n'etes  pas le destinataire
> escompte,
> > merci d'en informer l'expediteur immediatement et de detruire ce courriel
> > ainsi que tous les documents attaches de votre systeme informatique.
> Toute
> > divulgation, distribution ou copie du present courriel et des documents
> > attaches sans autorisation prealable de son emetteur est interdite."
> > > #
> >
> >
> >
> ----------------------------------------------------------------------------
> > --
> > Stay on top of everything new and different, both inside and
> > around Java (TM) technology - register by April 22, and save
> > $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
> > 300 plus technical and hands-on sessions. Register today.
> > Use priority code J9JMT32. http://p.sf.net/sfu/p
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
>
>
>
> ------------------------------------------------------------------------------
> Stay on top of everything new and different, both inside and
> around Java (TM) technology - register by April 22, and save
> $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
> 300 plus technical and hands-on sessions. Register today.
> Use priority code J9JMT32. http://p.sf.net/sfu/p
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090422/ab32b670/attachment.html>


More information about the Snort-users mailing list