Snort mailing list archives

Snort and ACID - how to determine if logging is happening correctly

From: "Jeff Schmidt (CACL Tech Asst)" <schmidje () oplin org>
Date: Fri, 04 Jun 2004 14:47:05 -0400

Hello,

I'm trying to get Snort, Barnyard, MySQL, and ACID all workingtogether. I'm having a problem, that I suspect is a problem with ACID,not Snort, but I'm wondering how to tell if barnyard is correctlylogging information to the mysql database? The problem I have with ACIDis that when I view acid_main.php it *always* tells me there are 0alerts in the database.


I've tried the following:

mysql> select count(*) from event;
+----------+
| count(*) |
+----------+
|     2963 |
+----------+

mysql> select * from iphdr order by rand() limit 3;
+-----+------+-----------+------------+--------+---------+--------+--------+-------+----------+--------+--------+----------+---------+

+-----+------+-----------+------------+--------+---------+--------+--------+-------+----------+--------+--------+----------+---------+

| 1 | 2368 | 167838071 | 4294967295 | NULL | NULL | NULL |NULL | NULL | NULL | NULL | NULL | 17 | NULL || 1 | 2060 | 167838071 | 4294967295 | NULL | NULL | NULL |NULL | NULL | NULL | NULL | NULL | 17 | NULL || 1 | 1320 | 167838071 | 4294967295 | NULL | NULL | NULL |NULL | NULL | NULL | NULL | NULL | 17 | NULL |

+-----+------+-----------+------------+--------+---------+--------+--------+-------+----------+--------+--------+----------+---------+
3 rows in set (0.06 sec)

mysql> select * from data order by rand() limit 3;
Empty set (0.00 sec)

mysql> select * from event order by rand() limit 3;
+-----+------+-----------+---------------------+
| sid | cid  | signature | timestamp           |
+-----+------+-----------+---------------------+
|   1 | 1273 |         1 | 2004-06-03 15:28:55 |
|   1 |  494 |         1 | 2004-06-03 16:24:51 |
|   1 |  423 |         1 | 2004-06-03 15:34:55 |
+-----+------+-----------+---------------------+
3 rows in set (0.04 sec)

mysql> select * from detail order by rand() limit 3;
+-------------+-------------+
| detail_type | detail_text |
+-------------+-------------+
|           1 | full        |
|           0 | fast        |
+-------------+-------------+
2 rows in set (0.31 sec)

mysql> select * from icmphdr order by rand() limit 3;
+-----+------+-----------+-----------+-----------+---------+----------+
| sid | cid  | icmp_type | icmp_code | icmp_csum | icmp_id | icmp_seq |
+-----+------+-----------+-----------+-----------+---------+----------+
|   1 |  976 |         3 |         3 |      NULL |    NULL |     NULL |
|   1 | 1835 |         3 |         3 |      NULL |    NULL |     NULL |
|   1 | 2948 |         3 |         3 |      NULL |    NULL |     NULL |
+-----+------+-----------+-----------+-----------+---------+----------+
3 rows in set (0.02 sec)

mysql> select * from udphdr order by rand() limit 3;
+-----+------+-----------+-----------+---------+----------+
| sid | cid  | udp_sport | udp_dport | udp_len | udp_csum |
+-----+------+-----------+-----------+---------+----------+
|   1 | 2311 |       162 |       162 |    NULL |     NULL |
|   1 |    9 |       162 |       162 |    NULL |     NULL |
|   1 | 2121 |       162 |       162 |    NULL |     NULL |
+-----+------+-----------+-----------+---------+----------+
3 rows in set (0.03 sec)

mysql> \q

-------------------------------------------------------

It looks like at least *some* information is getting sent to thedatabase, but I see an awful lot of NULLs, which makes me think some ofthe info is not getting correctly logged to the alert database.


Can anyone help me on this?

Jeff Schmidt




-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.

From Windows to Linux, servers to mobile, InstallShield X is the one

installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort and ACID - how to determine if logging is happening correctly Jeff Schmidt (CACL Tech Asst) (Jun 04)
- Re: Snort and ACID - how to determine if logging is happening correctly Timothy W Morrison (Jun 07)