[Snort-users] Problems with snort and B.A.S.E

Kaustubh Gadkari kaustubh.gadkari at ...11827...
Tue Feb 10 23:55:32 EST 2009


On Tue, Feb 10, 2009 at 9:45 PM, Paul Schmehl <pschmehl_lists at ...14358...> wrote:
> --On February 10, 2009 10:21:55 PM -0600 Kaustubh Gadkari
> <kaustubh.gadkari at ...11827...> wrote:
>
>>
>>>>
>>>
>>> So snort is putting events in the db, but base isn't seeing them.  Did
>>> you edit the base_conf.php file to reflect the proper db type, name and
>>> credentials for your setup?
>>
>> Yes. The credentials are right, and so is the db type.
>>
>>> Have you enabled sql debugging in the
>>> base_conf.php file so you can see what's going on?
>>>
>>
>> I did, and it looks like base can connect to the db. Is there anything
>> in particular I should be looking for?
>>
>
> Normal behavior for base is as follows:
>
> If you drop the tables and recreate them, base will repopulate them from
> what's in the "snort" tables (those created by the snort table creation
> script.)  IOW, the base tables are independent of but dependent upon the
> snort tables.  For some reason, even though you have confirmed that snort is
> writing data to the db, base isn't moving that data into its tables. Since
> you've confirmed most of the basics already, I'm not not sure what to think
> at this point.  Perhaps look at the mysql logs and see if you spot anything
> there that might explain why those tables aren't being written to.
>
> You should be seeing some of these in the mysql query log:
> INSERT INTO acid_event (sid,cid,signature,timestamp,etc.
>

There are no such entries in the mysql log.

> Those are snort events being inserted into the base table structure by base
> (see the base/includes/base_cache.inc.php file).  Perhaps the query log has
> an error in it that will tip you off to what the problem might be?
>
> Perhaps try dropping and recreating the tables?  Rerun the base setup
> routine?
>

Tried both of those, with no success.

Kaustubh
-- 
Kaustubh Gadkari
kaustubh [dot] gadkari [at] gmail [dot] com




More information about the Snort-users mailing list