[Snort-users] Where's Waldo?

AllowOverride allowoverride at ...11827...
Tue Oct 9 23:07:49 EDT 2012


not so simple, then why does it not continue to produce data,, i set a
constant ping, it logs to base, i clear tables, i refresh page, it
should still show data logging, thats the bug, OR its mozilla FF

On Tue, 2012-10-09 at 20:46 -0500, Paul Schmehl wrote:
> --On October 9, 2012 12:08:11 PM -0700 AllowOverride 
> <allowoverride at ...11827...> wrote:
> 
> >> Step 5: Verify that base can login to the db and read the alerts
> > its working - but when i clear the data tables on base browser gui, no
> > new data is being recorded.
> 
> OK.  Base does nothing more than to display what's in the database.  So, if 
> you empty the tables of data and no new data shows up, base is doing its 
> job.  The problem lies elsewhere.
> 
> > i noticed that if i restart the services, or
> > restart apache2, it will start displaying again... kinda odd, i would
> > have to restart anything,, wonders if base is really the right solution
> > at this point, or, maybe there is a switch to flick in it
> 
> In order to do fruitful troubleshooting, you have to take one step at a 
> time.  Restart one service.  Does base start displaying alerts again?  Then 
> that service is the problem.  If you restart several services and base 
> starts displaying alerts again, you have no way of knowing which service is 
> the problem.
> 
> Your problem sounds like one that used to occur with barnyard2 - lost 
> connections to the database - but it's hard to tell without knowing which 
> service restarts the alerts.
> 
> Look at the timestamps and sizes on the snort logs.  Is it continually 
> logging?  When the log files turn over, does the new one grow in size?
> 
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> "It is as useless to argue with those who have
> renounced the use of reason as to administer
> medication to the dead." Thomas Jefferson
> "There are some ideas so wrong that only a very
> intelligent person could believe in them." George Orwell
> 





More information about the Snort-users mailing list