No subject


Thu Nov 23 16:36:19 EST 2017


installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


--=_alternative 006B6F9486256EAC_=
Content-Type: text/html; charset="US-ASCII"


<br><font size=2 face="sans-serif">Jeff, </font>
<br><font size=2 face="sans-serif">I am having this exact same problem
where its logging to the database but not in ACID. Have you made any progress
on this?</font>
<br>
<br><font size=2 face="sans-serif">Regards,</font>
<br>
<br><font size=2 face="sans-serif">Tim Morrison</font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>"Jeff Schmidt (CACL
Tech Asst)" <schmidje at ...11869...></b> </font>
<br><font size=1 face="sans-serif">Sent by: snort-users-admin at lists.sourceforge.net</font>
<p><font size=1 face="sans-serif">06/04/2004 01:47 PM</font>
<td width=59%>
<table width=100%>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td valign=top><font size=1 face="sans-serif">snort-users at lists.sourceforge.net</font>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td valign=top>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td valign=top><font size=1 face="sans-serif">[Snort-users] Snort and ACID
- how to determine if logging is happening correctly</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><font size=2><tt>Hello,<br>
   I'm trying to get Snort, Barnyard, MySQL, and ACID all working
<br>
together. I'm having a problem, that I suspect is a problem with ACID,
<br>
not Snort, but I'm wondering how to tell if barnyard is correctly <br>
logging information to the mysql database? The problem I have with ACID
<br>
is that when I view acid_main.php it *always* tells me there are 0 <br>
alerts in the database.<br>
<br>
I've tried the following:<br>
<br>
mysql> select count(*) from event;<br>
+----------+<br>
| count(*) |<br>
+----------+<br>
|     2963 |<br>
+----------+<br>
<br>
mysql> select * from iphdr order by rand() limit 3;<br>
+-----+------+-----------+------------+--------+---------+--------+--------+-------+----------+--------+--------+----------+---------+<br>
| sid | cid  | ip_src    | ip_dst     | ip_ver
| ip_hlen | ip_tos | <br>
ip_len | ip_id | ip_flags | ip_off | ip_ttl | ip_proto | ip_csum |<br>
+-----+------+-----------+------------+--------+---------+--------+--------+-------+----------+--------+--------+----------+---------+<br>
|   1 | 2368 | 167838071 | 4294967295 |   NULL |    NULL
|   NULL |   <br>
NULL |  NULL |     NULL |   NULL |   NULL |  
    17 |    NULL |<br>
|   1 | 2060 | 167838071 | 4294967295 |   NULL |    NULL
|   NULL |   <br>
NULL |  NULL |     NULL |   NULL |   NULL |  
    17 |    NULL |<br>
|   1 | 1320 | 167838071 | 4294967295 |   NULL |    NULL
|   NULL |   <br>
NULL |  NULL |     NULL |   NULL |   NULL |  
    17 |    NULL |<br>
+-----+------+-----------+------------+--------+---------+--------+--------+-------+----------+--------+--------+----------+---------+<br>
3 rows in set (0.06 sec)<br>
<br>
mysql> select * from data order by rand() limit 3;<br>
Empty set (0.00 sec)<br>
<br>
mysql> select * from event order by rand() limit 3;<br>
+-----+------+-----------+---------------------+<br>
| sid | cid  | signature | timestamp          
|<br>
+-----+------+-----------+---------------------+<br>
|   1 | 1273 |         1 | 2004-06-03 15:28:55
|<br>
|   1 |  494 |         1 | 2004-06-03 16:24:51
|<br>
|   1 |  423 |         1 | 2004-06-03 15:34:55
|<br>
+-----+------+-----------+---------------------+<br>
3 rows in set (0.04 sec)<br>
<br>
mysql> select * from detail order by rand() limit 3;<br>
+-------------+-------------+<br>
| detail_type | detail_text |<br>
+-------------+-------------+<br>
|           1 | full        |<br>
|           0 | fast        |<br>
+-------------+-------------+<br>
2 rows in set (0.31 sec)<br>
<br>
mysql> select * from icmphdr order by rand() limit 3;<br>
+-----+------+-----------+-----------+-----------+---------+----------+<br>
| sid | cid  | icmp_type | icmp_code | icmp_csum | icmp_id | icmp_seq
|<br>
+-----+------+-----------+-----------+-----------+---------+----------+<br>
|   1 |  976 |         3 |    
    3 |      NULL |    NULL |  
  NULL |<br>
|   1 | 1835 |         3 |      
  3 |      NULL |    NULL |    
NULL |<br>
|   1 | 2948 |         3 |      
  3 |      NULL |    NULL |    
NULL |<br>
+-----+------+-----------+-----------+-----------+---------+----------+<br>
3 rows in set (0.02 sec)<br>
<br>
mysql> select * from udphdr order by rand() limit 3;<br>
+-----+------+-----------+-----------+---------+----------+<br>
| sid | cid  | udp_sport | udp_dport | udp_len | udp_csum |<br>
+-----+------+-----------+-----------+---------+----------+<br>
|   1 | 2311 |       162 |       162
|    NULL |     NULL |<br>
|   1 |    9 |       162 |    
  162 |    NULL |     NULL |<br>
|   1 | 2121 |       162 |       162
|    NULL |     NULL |<br>
+-----+------+-----------+-----------+---------+----------+<br>
3 rows in set (0.03 sec)<br>
<br>
mysql> \q<br>
<br>
-------------------------------------------------------<br>
<br>
<br>
It looks like at least *some* information is getting sent to the <br>
database, but I see an awful lot of NULLs, which makes me think some of
<br>
the info is not getting correctly logged to the alert database.<br>
<br>
Can anyone help me on this?<br>
<br>
Jeff Schmidt<br>
<br>
<br>
<br>
<br>
-------------------------------------------------------<br>
This SF.Net email is sponsored by the new InstallShield X.<br>


More information about the Snort-users mailing list