[Snort-users] Problems with snort and B.A.S.E

Paul Schmehl pschmehl_lists at ...14358...
Tue Feb 10 23:45:16 EST 2009

--On February 10, 2009 10:21:55 PM -0600 Kaustubh Gadkari 
<kaustubh.gadkari at ...11827...> wrote:

>> So snort is putting events in the db, but base isn't seeing them.  Did
>> you edit the base_conf.php file to reflect the proper db type, name and
>> credentials for your setup?
> Yes. The credentials are right, and so is the db type.
>> Have you enabled sql debugging in the
>> base_conf.php file so you can see what's going on?
> I did, and it looks like base can connect to the db. Is there anything
> in particular I should be looking for?

Normal behavior for base is as follows:

If you drop the tables and recreate them, base will repopulate them from 
what's in the "snort" tables (those created by the snort table creation 
script.)  IOW, the base tables are independent of but dependent upon the 
snort tables.  For some reason, even though you have confirmed that snort 
is writing data to the db, base isn't moving that data into its tables. 
Since you've confirmed most of the basics already, I'm not not sure what 
to think at this point.  Perhaps look at the mysql logs and see if you 
spot anything there that might explain why those tables aren't being 
written to.

You should be seeing some of these in the mysql query log:
INSERT INTO acid_event (sid,cid,signature,timestamp,etc.

Those are snort events being inserted into the base table structure by 
base (see the base/includes/base_cache.inc.php file).  Perhaps the query 
log has an error in it that will tip you off to what the problem might be?

Perhaps try dropping and recreating the tables?  Rerun the base setup 

Paul Schmehl, If it isn't already
obvious, my opinions are my own
and not those of my employer.
WARNING: Check the headers before replying
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pkcs7-signature
Size: 3822 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090210/55db96a2/attachment.bin>

More information about the Snort-users mailing list