[Snort-users] view alerts in base

Juergen Leising juergen.leising at ...348...
Wed Apr 22 17:26:57 EDT 2009


On Wed, Apr 22, 2009 at 07:44:10AM +0000, Paul Schmehl <pschmehl_lists at ...14358...> wrote:

(...)
> Here's my operational system:
>
> mysql> select count(*) from event;
> +----------+
> | count(*) |
> +----------+
> |     6881 |
> +----------+
> 1 row in set (0.00 sec)
>
> mysql> select count(*) from acid_event;
> +----------+
> | count(*) |
> +----------+
> |     6880 |
> +----------+
> 1 row in set (0.00 sec)
>
> As you can see the number of alerts is different.  Whether snort feeds  
> mysql directly *or* barnyard parses the unified format and feeds mysql,  
> the result is the same - events are entered into the *snort* database.  
> The BASE install adds the four acid_* tables.  Those tables are fed by  
> base, not by snort or barnyard.  So, if the snort db event table has  
> entries but the acid_event table does not, the problem is BASE not snort, 
> mysql or barnyard.
(...)

Hello Paul,

you are right, there was indeed a bug in BASE, that should now 
be fixed in current CVS:  None of those preprocessor alerts with
signature names that did NOT start with a "spp_" prefix found 
their way into acid_event, so far.  And from now on error messages 
appear for each event that does not get stored into acid_event.

Cf. http://sourceforge.net/scm/?type=cvs&group_id=103348

modulename would be "base-php4".  Or wait for the upcoming
BASE-1.4.2 release.

Bye, bye

Juergen






More information about the Snort-users mailing list