[Snort-users] view alerts in base

David Kingsly davidkingsly at ...3147...
Wed Apr 22 20:00:50 EDT 2009


Yes, the numbers do not match.  I'll check the BASE configuration.
mysql> select count(*) from event;
+----------+
| count(*) |
+----------+
|      848 | 
+----------+
1 row in set (0.00 sec)

mysql> select count(*) from acid_event;
+----------+
| count(*) |
+----------+
|        0 | 
+----------+
1 row in set (0.00 sec)

mysql> 

On Tue, 2009-04-21 at 21:38 -0500, Paul Schmehl wrote:
> --On April 21, 2009 8:45:01 PM -0500 David Kingsly 
> <davidkingsly at ...3147...> wrote:
> 
> >
> > So even though I see alerts in mysql, the issue is between snort 2.8.4
> > and mysql?  Not between BASE and mysql?  From looking at my tables
> > before I installed BASE, and after I see that BASE added some items.  I
> > just don't get why alerts are not collected.  I'll look at barnyard
> > documentation. Thank you.  I do not have ACID installed. The procedures
> > that I am following on Ubuntu do not call for it.
> 
> The name acid is a legacy from the software that BASE is derived from.
> 
> Here's my operational system:
> 
> mysql> select count(*) from event;
> +----------+
> | count(*) |
> +----------+
> |     6881 |
> +----------+
> 1 row in set (0.00 sec)
> 
> mysql> select count(*) from acid_event;
> +----------+
> | count(*) |
> +----------+
> |     6880 |
> +----------+
> 1 row in set (0.00 sec)
> 
> As you can see the number of alerts is different.  Whether snort feeds 
> mysql directly *or* barnyard parses the unified format and feeds mysql, 
> the result is the same - events are entered into the *snort* database. 
> The BASE install adds the four acid_* tables.  Those tables are fed by 
> base, not by snort or barnyard.  So, if the snort db event table has 
> entries but the acid_event table does not, the problem is BASE not snort, 
> mysql or barnyard.
> 
> Check your BASE configuration.  There is something wrong with it.  It 
> could be the username, password, hostname or something else, but BASE is 
> not connecting to the db to parse the events and populate its tables.
> 
> There is a section that looks like this:
> 
> $alert_dbname   = 'snort';
> $alert_host     = 'localhost';
> $alert_port     = '';
> $alert_user     = 'snort';
> $alert_password = 'password';
> 
> That section *must* match the dbname of your db plus the correct port 
> plust the correct user and password or base will not function correctly. 
> If localhost doesn't work, use 127.0.0.1.  (Localhost *should* be defined 
> in your hosts file, but many people miss that detail.  In that case, 
> localhost does not resolve to 127.0.0.1.)
> 
> If you have logging enabled in mysql, you should be able to see the errors 
> and figure out why it's not working.
> 
> If it's working correctly, you should see entries like this:
> 
> 090418  0:04:15     280 Init DB     snort
>                     280 Query       SELECT vseq FROM `schema`
>                     280 Init DB     snort
>                     280 Query       SELECT vseq FROM `schema`
>                     280 Query       SELECT ip_src FROM iphdr LIMIT 0, 1
>                     280 Query       SHOW TABLES
>                     280 Query       SHOW TABLES
>                     280 Query       SHOW TABLES
>                     280 Query       SHOW TABLES
>                     280 Query       SHOW TABLES
>                     280 Query       SHOW TABLES
>                     280 Query       SELECT count(*) FROM sensor
>                     280 Query       SELECT sid FROM sensor
>                     280 Query       SELECT MAX(cid) FROM event WHERE 
> sid='1'
>                     280 Query       SELECT MAX(cid) FROM acid_event WHERE 
> sid='1'
>                     280 Query       SELECT count(*) FROM acid_event where 
> sid = '1'
>                     280 Query       INSERT INTO acid_event 
> (sid,cid,signature,timestamp,
>                              ip_src,ip_dst,ip_proto,
>                              layer4_sport,layer4_dport,
>                              sig_name, sig_priority, sig_class_id)
> 
> Note that a SELECT on the event table is followed by an INSERT into 
> acid_event.  That is done by BASE (when it's working correctly.)
> 
> Paul Schmehl, If it isn't already
> obvious, my opinions are my own
> and not those of my employer.
> ******************************************
> WARNING: Check the headers before replying
> 





More information about the Snort-users mailing list