Snort mailing list archives
Re: Snort and ACID - how to determine if logging is happening correctly
From: Timothy W Morrison <morriswt () us ibm com>
Date: Mon, 7 Jun 2004 14:33:28 -0500
Jeff, I am having this exact same problem where its logging to the database but not in ACID. Have you made any progress on this? Regards, Tim Morrison "Jeff Schmidt (CACL Tech Asst)" <schmidje () oplin org> Sent by: snort-users-admin () lists sourceforge net 06/04/2004 01:47 PM To snort-users () lists sourceforge net cc Subject [Snort-users] Snort and ACID - how to determine if logging is happening correctly Hello, I'm trying to get Snort, Barnyard, MySQL, and ACID all working together. I'm having a problem, that I suspect is a problem with ACID, not Snort, but I'm wondering how to tell if barnyard is correctly logging information to the mysql database? The problem I have with ACID is that when I view acid_main.php it *always* tells me there are 0 alerts in the database. I've tried the following: mysql> select count(*) from event; +----------+ | count(*) | +----------+ | 2963 | +----------+ mysql> select * from iphdr order by rand() limit 3; +-----+------+-----------+------------+--------+---------+--------+--------+-------+----------+--------+--------+----------+---------+ | sid | cid | ip_src | ip_dst | ip_ver | ip_hlen | ip_tos | ip_len | ip_id | ip_flags | ip_off | ip_ttl | ip_proto | ip_csum | +-----+------+-----------+------------+--------+---------+--------+--------+-------+----------+--------+--------+----------+---------+ | 1 | 2368 | 167838071 | 4294967295 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 17 | NULL | | 1 | 2060 | 167838071 | 4294967295 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 17 | NULL | | 1 | 1320 | 167838071 | 4294967295 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 17 | NULL | +-----+------+-----------+------------+--------+---------+--------+--------+-------+----------+--------+--------+----------+---------+ 3 rows in set (0.06 sec) mysql> select * from data order by rand() limit 3; Empty set (0.00 sec) mysql> select * from event order by rand() limit 3; +-----+------+-----------+---------------------+ | sid | cid | signature | timestamp | +-----+------+-----------+---------------------+ | 1 | 1273 | 1 | 2004-06-03 15:28:55 | | 1 | 494 | 1 | 2004-06-03 16:24:51 | | 1 | 423 | 1 | 2004-06-03 15:34:55 | +-----+------+-----------+---------------------+ 3 rows in set (0.04 sec) mysql> select * from detail order by rand() limit 3; +-------------+-------------+ | detail_type | detail_text | +-------------+-------------+ | 1 | full | | 0 | fast | +-------------+-------------+ 2 rows in set (0.31 sec) mysql> select * from icmphdr order by rand() limit 3; +-----+------+-----------+-----------+-----------+---------+----------+ | sid | cid | icmp_type | icmp_code | icmp_csum | icmp_id | icmp_seq | +-----+------+-----------+-----------+-----------+---------+----------+ | 1 | 976 | 3 | 3 | NULL | NULL | NULL | | 1 | 1835 | 3 | 3 | NULL | NULL | NULL | | 1 | 2948 | 3 | 3 | NULL | NULL | NULL | +-----+------+-----------+-----------+-----------+---------+----------+ 3 rows in set (0.02 sec) mysql> select * from udphdr order by rand() limit 3; +-----+------+-----------+-----------+---------+----------+ | sid | cid | udp_sport | udp_dport | udp_len | udp_csum | +-----+------+-----------+-----------+---------+----------+ | 1 | 2311 | 162 | 162 | NULL | NULL | | 1 | 9 | 162 | 162 | NULL | NULL | | 1 | 2121 | 162 | 162 | NULL | NULL | +-----+------+-----------+-----------+---------+----------+ 3 rows in set (0.03 sec) mysql> \q ------------------------------------------------------- It looks like at least *some* information is getting sent to the database, but I see an awful lot of NULLs, which makes me think some of the info is not getting correctly logged to the alert database. Can anyone help me on this? Jeff Schmidt ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort and ACID - how to determine if logging is happening correctly Jeff Schmidt (CACL Tech Asst) (Jun 04)
- Re: Snort and ACID - how to determine if logging is happening correctly Timothy W Morrison (Jun 07)