Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort data not being populated to Acid

From: "pfeito" <pfeito () netcabo pt>
Date: Wed, 1 Sep 2004 05:31:20 +0100
Hi,

I've just had this problem also. In my case, I was trying to set up
barnyard, so I prepared a new blanked database for barnyard to use. 

After that Acid was showing nothing! I verified that barnyard was inserting
on some tables but not on Acid one's.... the lines below are taken from
mysql query log.

040901  5:16:41      77 Query       SELECT sig_id FROM signature WHERE
sig_name='Snort Alert [1:1000002:0]' AND sig_rev=0 A$
                     77 Query       INSERT INTO event(sid, cid, signature,
timestamp) VALUES('1', '458', '28', '2004-09-01 $
                     77 Query       INSERT INTO iphdr(sid, cid, ip_src,
ip_dst, ip_proto, ip_ver, ip_hlen, ip_tos, ip_len, $
                     77 Query       INSERT INTO tcphdr(sid, cid, tcp_sport,
tcp_dport, tcp_seq, tcp_ack, tcp_off, tcp_res, $
                     77 Query       INSERT INTO data(sid, cid, data_payload)
VALUES('1', '458', '5553455220726F6F740D0A')

After exausting all my clues, I configured barnyard to insert to the
original database, the one that I was using till the moment I begun playing
with barnyard, and I was surprised to see that barnyard was correctly
inserting in all tables! Don't know what the hell made the difference, but
it begun working. Maybe this is strange bug.... caused by acid tables being
empty, but that alone.... can't be it..

The only minor problem I saw later is that ACID isn’t showing my custom
rule's description, it just shows something like this in the alert Snort
Alert [1:1000002:0] (you can see it also in the SQL log lines above). It
does not get the sig_name right...

Bottomline, I manage to get it working, but don’t know the exact reason,
maybe it’s a bug
-pfeito


-----Original Message-----
From: snort-users-admin () lists sourceforge net [mailto:snort-users-
admin () lists sourceforge net] On Behalf Of Jose Maria Lopez
Sent: domingo, 29 de Agosto de 2004 18:04
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort data not being populated to Acid

El dom, 29 de 08 de 2004 a las 16:10, Jeff Heckart escribió:

Hello,
I just setup snort 2.2.0, and am trying to get ACID working.  I

currently have events sitting in the snort event table, but I have no
data in acid.  I have granted my db user account admin.

What could I be overlooking?

Thanks,
Jeff


I suppose you have created the tables correctly and you have the correct
data in the config file to connect to the database, so if all seems
right you should use something like ethereal to see if data it's
being sent from the snort daemon to the database daemon. Also you can
check the database logs and the snort logs for errors.


--
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac () bgsec com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idP47&alloc_id808&op=ick
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users





-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idP47&alloc_id808&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: