[Snort-users] Where's Waldo?

Paul Schmehl pschmehl_lists at ...14358...
Tue Oct 9 23:58:25 EDT 2012


It's a very strange bug.  It only exists on your system.

We've been using base for as long as it's existed, and our copy has never 
had that bug.

--On October 9, 2012 8:09:54 PM -0700 AllowOverride 
<allowoverride at ...11827...> wrote:

> omg,,, thanks but i am fully aware of how to trbsht, sorry, im not going
> to respond to all that... i think its a bug, been there done that
>
> On Tue, 2012-10-09 at 20:46 -0500, Paul Schmehl wrote:
>> --On October 9, 2012 12:08:11 PM -0700 AllowOverride
>> <allowoverride at ...11827...> wrote:
>>
>> >> Step 5: Verify that base can login to the db and read the alerts
>> > its working - but when i clear the data tables on base browser gui, no
>> > new data is being recorded.
>>
>> OK.  Base does nothing more than to display what's in the database.  So,
>> if  you empty the tables of data and no new data shows up, base is doing
>> its  job.  The problem lies elsewhere.
>>
>> > i noticed that if i restart the services, or
>> > restart apache2, it will start displaying again... kinda odd, i would
>> > have to restart anything,, wonders if base is really the right solution
>> > at this point, or, maybe there is a switch to flick in it
>>
>> In order to do fruitful troubleshooting, you have to take one step at a
>> time.  Restart one service.  Does base start displaying alerts again?
>> Then  that service is the problem.  If you restart several services and
>> base  starts displaying alerts again, you have no way of knowing which
>> service is  the problem.
>>
>> Your problem sounds like one that used to occur with barnyard2 - lost
>> connections to the database - but it's hard to tell without knowing
>> which  service restarts the alerts.
>>
>> Look at the timestamps and sizes on the snort logs.  Is it continually
>> logging?  When the log files turn over, does the new one grow in size?
>>
>> Paul Schmehl, Senior Infosec Analyst
>> As if it wasn't already obvious, my opinions
>> are my own and not those of my employer.
>> *******************************************
>> "It is as useless to argue with those who have
>> renounced the use of reason as to administer
>> medication to the dead." Thomas Jefferson
>> "There are some ideas so wrong that only a very
>> intelligent person could believe in them." George Orwell
>>
>
>



Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell





More information about the Snort-users mailing list