[Snort-users] Problems with snort and B.A.S.E
pschmehl_lists at ...14358...
Tue Feb 10 22:12:49 EST 2009
--On February 10, 2009 7:09:30 PM -0600 Kaustubh Gadkari
<kaustubh.gadkari at ...11827...> wrote:
> I have a process that continuously dumps pcap files into a directory.
> Periodically, I run snort on these files:
> snort -c /etc/snort/snort.conf --pcap-dir=/path/to/pcaps
> I have configured snort to write to a MySQL database. I have also
> confirmed that snort is writing to the database. Just to raise alerts,
> I have a rule 'alert tcp any any <> any any (sid:5;)'. I am using
> B.A.S.E (http://base.secureideas.net/) v1.4.1 to see the snort alerts.
> Here's the problem:
> When I run snort as described above, snort writes events to the snort
> database. I checked using 'select count(*) from event;', but the
> alerts do not show up in B.A.S.E. However, if I run snort on the
> snort -c /etc/snort/snort.conf -i eth1
> things work i.e. I see snort writing to the database, and I see alerts
> on B.A.S.E.
> Am I missing a trick here?
Does your database include the tables that BASE requires? IOW, did you
run the create_base_tbls_mysql.sql script?
Paul Schmehl, If it isn't already
obvious, my opinions are my own
and not those of my employer.
WARNING: Check the headers before replying
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 3822 bytes
Desc: not available
More information about the Snort-users