[Snort-users] Snort and ACID - how to determine if logging is happening correctly

Hello,
I'm trying to get Snort, Barnyard, MySQL, and ACID all working
together. I'm having a problem, that I suspect is a problem with ACID,
not Snort, but I'm wondering how to tell if barnyard is correctly
logging information to the mysql database? The problem I have with ACID
is that when I view acid_main.php it *always* tells me there are 0
alerts in the database.

I've tried the following:

mysql> select count(*) from event;
+----------+
| count(*) |
+----------+
| 2963 |
+----------+

mysql> select * from iphdr order by rand() limit 3;
+-----+------+-----------+------------+--------+---------+--------+--------+-------+----------+--------+--------+----------+---------+
| sid | cid | ip_src | ip_dst | ip_ver | ip_hlen | ip_tos |
ip_len | ip_id | ip_flags | ip_off | ip_ttl | ip_proto | ip_csum |
+-----+------+-----------+------------+--------+---------+--------+--------+-------+----------+--------+--------+----------+---------+
| 1 | 2368 | 167838071 | 4294967295 | NULL | NULL | NULL |
NULL | NULL | NULL | NULL | NULL | 17 | NULL |
| 1 | 2060 | 167838071 | 4294967295 | NULL | NULL | NULL |
NULL | NULL | NULL | NULL | NULL | 17 | NULL |
| 1 | 1320 | 167838071 | 4294967295 | NULL | NULL | NULL |
NULL | NULL | NULL | NULL | NULL | 17 | NULL |
+-----+------+-----------+------------+--------+---------+--------+--------+-------+----------+--------+--------+----------+---------+
3 rows in set (0.06 sec)

mysql> select * from data order by rand() limit 3;
Empty set (0.00 sec)

mysql> select * from event order by rand() limit 3;
+-----+------+-----------+---------------------+
| sid | cid | signature | timestamp |
+-----+------+-----------+---------------------+
| 1 | 1273 | 1 | 2004-06-03 15:28:55 |
| 1 | 494 | 1 | 2004-06-03 16:24:51 |
| 1 | 423 | 1 | 2004-06-03 15:34:55 |
+-----+------+-----------+---------------------+
3 rows in set (0.04 sec)

mysql> select * from detail order by rand() limit 3;
+-------------+-------------+
| detail_type | detail_text |
+-------------+-------------+
| 1 | full |
| 0 | fast |
+-------------+-------------+
2 rows in set (0.31 sec)

mysql> select * from icmphdr order by rand() limit 3;
+-----+------+-----------+-----------+-----------+---------+----------+
| sid | cid | icmp_type | icmp_code | icmp_csum | icmp_id | icmp_seq |
+-----+------+-----------+-----------+-----------+---------+----------+
| 1 | 976 | 3 | 3 | NULL | NULL | NULL |
| 1 | 1835 | 3 | 3 | NULL | NULL | NULL |
| 1 | 2948 | 3 | 3 | NULL | NULL | NULL |
+-----+------+-----------+-----------+-----------+---------+----------+
3 rows in set (0.02 sec)

mysql> select * from udphdr order by rand() limit 3;
+-----+------+-----------+-----------+---------+----------+
| sid | cid | udp_sport | udp_dport | udp_len | udp_csum |
+-----+------+-----------+-----------+---------+----------+
| 1 | 2311 | 162 | 162 | NULL | NULL |
| 1 | 9 | 162 | 162 | NULL | NULL |
| 1 | 2121 | 162 | 162 | NULL | NULL |
+-----+------+-----------+-----------+---------+----------+
3 rows in set (0.03 sec)

mysql> \q

-------------------------------------------------------


It looks like at least *some* information is getting sent to the
database, but I see an awful lot of NULLs, which makes me think some of
the info is not getting correctly logged to the alert database.

Can anyone help me on this?

Jeff Schmidt




-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users