Re: Re: Barnyard not inserting on ACID tables in MySQL, just regular snort ones

["Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>]

--On 02 September 2004 10:38 +0100 Pedro Fortuna <pedro.fortuna () gmail com> 
wrote:

> On Thu, 02 Sep 2004 09:24:31 +0100, Alex Butcher, ISC/ISYS
> <alex.butcher () bristol ac uk> wrote:
> > --On 01 September 2004 19:06 +0100 Pedro Fortuna
> > <pedro.fortuna () gmail com> wrote:
> >
> > > Anyway, now its working with the old DB, but two things are bodering
> > > me: - ACID isn't showing my custom rule's description, it just shows
> > > something like this in the alert "Snort Alert [1:1000002:0]" (1000002
> > > is the rule ID)
> >
> > I had this problem when I was using mudpit, and mudpit couldn't find
> > sid-msg.map and gen-msg.map. I haven't used barnyard, and I'm using FLoP
> > now, but maybe your problem has the same root.
> Well, the rules that werent showing up the descriptiont were my custom
> rules. I didnt knew I must also add the description to sid-msg.map.
> That's understood now.

Cool. Happy to help. If you trawl the list archives, you'll find a script 
from me that rebuilds sid-msg.map.

> > > - The events time are one our late! An event at 3am shows 2am.
> >
> > Probably a timezone or daylight savings time thing; I think all events
> > are logged as UTC (i.e. GMT+0). Are you in western Europe, by chance?
> I'm on GMT+0 (London,Lisbon,... it seems we are in the same timezone),
> but the thing is that my system "date" output (Ive only noticed this
> now) shows something like this:
> Thu Sep  2 10:13:02 WEST 2004

WEST (Western European Standard Time, presumably) is not the same thing as 
GMT+0/UTC. UTC doesn't have daylight savings time (i.e. forward an hour at 
the beginning of summer), WEST and GMT0BST do. So 10:13 GMT is actually 
11:13 WEST/GMT0BST right now. In winter, 10:13 GMT will be 10:13 
WEST/GMT0BST.

> Shouldn't it say "GMT or UTC" ?
> I try set it to GMT or UTC, but all it does is adding one hour, and
> maintaining the "WEST":
> # date --set="thu Sep 2 10:13:00 GMT 2004"
> Thu Sep  2 11:13:00 WEST 2004

You need to play with your TZ environment variable. This is usually set in 
the system initscripts somewhere. On Red Hat and derived distros, you can 
run timeconfig as root to set it system-wide.

IMHO, logs are best stored with GMT+0 timestamps across your entire 
enterprise, as this makes it easier to compare logs from different systems 
(some of which will probably have broken or missing timezone support). This 
is a common practice at ISPs, for instance.

> So i set it up back to 10:13 WEST. I have to check this thing again later.
>
> > > If someone has a clue why Acid failed to insert the events in its
> > > tables (_using_ the blank DB) please say something, so that I can test
> > > it.
> >
> > Did you run create_acid_tbls_mysql.sql from the ACID distribution?
> No, I used snortdb-extra.gz in snort distribution, which must be the
> same thing.

No, it's not. Glad you've fixed the problem, anyway.

> -Pedro Fortuna

Best Regards,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9




-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users