[Snort-users] BASE Error when using Unified to MySQL?

Lay, James james.lay at ...15009...
Wed Jul 20 15:04:26 EDT 2011



> -----Original Message-----
> From: Michael Steele [mailto:michaels at ...9077...]
> Sent: Tuesday, July 19, 2011 2:49 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] BASE Error when using Unified to MySQL?
> 
> I'm using BASE / MySQL  as my front end, and database. This is also a
brand
> new install.
> 
> This is the initial error:
> base\includes\base_cache.inc.php:776: ERROR:  2 alerts have NOT found
their
> way into acid_event with sid = 1
> 
> Then there are a bunch of these listed below the initial error with
> advancing error numbers (1-130 : 1-131, etc)
> base\includes\base_cache.inc.php:521: ERROR: Alert "1 - 130" could NOT
be
> found in acid_event
> 
> All the alerts that 'could NOT be found in acid_event' never make it
into
> the BASE console.
> 
> This doesn't happen when using the output database plugin, only when
BASE
> receives unified alerts.
> 
> Refreshing BASE with no alerts to process, is a normal BASE screen.
> Processing any new alerts, cause this to happen, and not all alerts
appear
> to create the error because there are alerts in the BASE console.
> 
> BASE add some alerts ' Added 6 alert(s) to the Alert cache' , and
above that
> there were 8 alerts that failed '(Alert "1 - 158" could NOT be found
in
> acid_event).
> 
> I've seen a lot of inquiries using Google about this exact same
problem, but
> I've yet to see a resolution.
> 
> Any help would be greatly appreciated. It appears this error is
crossing
> platforms. The inquires I've seen are on UNIX and I'm on Windows.
Maybe
> someone else had this problem, and has a resolution?
> 
> Does the 'sid-msg.map' or 'gen-msg.map' get processed in any way, or
are
> they used as is from the source files?
> 
> Kindest regards,
> Michael...
> 


Michael,

What's your setup look like?  What versions of snort/barnyard2 are you
using?  I've had success with:

Snort-2.9.0.5
Barnyard2-Version 2.1.10-beta1

I'm logging unified2 and haven't seen any issues thus far.

James




More information about the Snort-users mailing list