[Snort-users] Problems with snort and B.A.S.E

Paul Schmehl pschmehl_lists at ...14358...
Tue Feb 10 22:12:49 EST 2009


--On February 10, 2009 7:09:30 PM -0600 Kaustubh Gadkari 
<kaustubh.gadkari at ...11827...> wrote:

>
> Hi,
>
> I have a process that continuously dumps pcap files into a directory.
> Periodically, I run snort on these files:
>
> snort -c /etc/snort/snort.conf --pcap-dir=/path/to/pcaps
>
> I have configured snort to write to a MySQL database. I have also
> confirmed that snort is writing to the database. Just to raise alerts,
> I have a rule 'alert tcp any any <> any any (sid:5;)'. I am using
> B.A.S.E (http://base.secureideas.net/) v1.4.1 to see the snort alerts.
>
> Here's the problem:
> When I run snort as described above, snort writes events to the snort
> database. I checked using 'select count(*) from event;', but the
> alerts do not show up in B.A.S.E. However, if I run snort on the
> interface:
>
> snort -c /etc/snort/snort.conf -i eth1
>
> things work i.e. I see snort writing to the database, and I see alerts
> on B.A.S.E.
>
> Am I missing a trick here?
>

Does your database include the tables that BASE requires?  IOW, did you 
run the create_base_tbls_mysql.sql script?

Paul Schmehl, If it isn't already
obvious, my opinions are my own
and not those of my employer.
******************************************
WARNING: Check the headers before replying
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pkcs7-signature
Size: 3822 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090210/0578de6b/attachment.bin>


More information about the Snort-users mailing list