|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Snort-users] Barnyard not inserting on ACID tables in MySQL, just regular snort ones
From: Pedro Fortuna (pedro.fortuna
gmail.com)
Date: Wed Sep 01 2004 - 13:06:43 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello,
You're right! Thanks Dirk! Acid tables are only populated by Acid
itself. I've just double checked the mysqld log.
I managed to get snort-barnyard-acid working. I told barnyard to log
to the old mysql DB (the one that snort was inserting directly, prior
to this setup), changed acid to work with the old DB, and it begun
working... why ? I don't know... I don't have any clue...
Both old and newest DBs were created like this:
- created blank database,
- create snort mysql user
- Give permissions to user,
- snort's "contrib/create_mysql" script,
- contrib/snortdb-extra.gz,
- and finally the acid tables are created by Acid (setup option).
Anyway, now its working with the old DB, but two things are bodering me:
- ACID isn't showing my custom rule's description, it just shows
something like this in the alert "Snort Alert [1:1000002:0]" (1000002
is the rule ID)
- The events time are one our late! An event at 3am shows 2am.
If someone has a clue why Acid failed to insert the events in its tables
(_using_ the blank DB) please say something, so that I can test it.
Thanks,
Pedro Fortuna
On Wed, 01 Sep 2004 09:44:20 +0200, Dirk Geschke <dirk_geschkegenua.de> wrote:
> Hi Pedro,
>
> > I don't know why, but barnyard is not inserting on ACID tables in
> > MySQL, and ACID does not show any alert.
> >
> > I'm pretty sure of:
> > - snort is logging alerts correctly to unified log files
> > - barnyard is being able to read them and...
> > - ... it is connecting to mysql correctly and....
> > - it is inserting only on tables event,iphdr,tcphdr,data
> >
> > Don't know why:
> > - barnyard is not inserting on acid specific tables (it must be
> > because of this that ACID does not shows anything!)
>
> that is easy to explain: Only ACID fills the acid tables...
>
> The acid output plugin of barnyard is used to fill the database
> scheme which is used by acid. The acid tables are extensions made
> by acid to the database and is mainly used for caching or building
> up alert groups within acid.
>
> So don't blame barnyard for this...
>
> Best regards
>
> Dirk
>
>
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]