I have a fresh install of Snort 126.96.36.199 with Mysql, Barnyard, Base 1.4.1, and Ntop running on CentOS5.2. I have ssnort up and running with 2 NICs Eth3-monitoring and Eth1-sniffing and have followed the testing procedure posted by Juergen Leising on 2008-6-26, which is listed below:
1. Can snort detect anything ? I ran snort -vde -i eth1 -n 50
packets received on screen.
2. Is snort.conf syntactically correct? I ran snort -T -cc /etc/snort
Snort successfully loaded all rules and rule chains.
3. Can snort qualify some of the observed data as alerts?
I ran snort in ids mode snort -vde -i eth1 -L snort.pcap -c /etc/snort.conf -n 100
Data received on screen
4. Does snort trigger any alerts at all?
looked in /var/log/messages
Alerts are posting and barnyard is processing them
5. Is the database syntactically ok? I ran mysqlcheck --check snort -u snort -p
All checked ok
6. Do any packets show up in mysql database?
mysql> select * from event where timeswtamp like '%2009-03-26%';
The responce was 1663 rows in 1 set (Data is present)
The Base webpage is up and wants to be active but it appears to not be reading the data on sensor my Sensor/Total is 0/0
all data is 0. I would like to get this up and running any
assistance would be appreciated.
Did you run the mysql script that came with BASE so that the database tables were created for BASE?
What do you get when you type "select * from acid_event limit 5;"
I'm having the same problem.
| Tables_in_snort |
| acid_ag |
| acid_ag_alert |
| acid_event |
| acid_ip_cache |
| base_roles |
| base_users |
| data |
| detail |
| encoding |
| event |
| icmphdr |
| iphdr |
| opt |
| reference |
| reference_system |
| schema |
| sensor |
| sig_class |
| sig_reference |
| signature |
| tcphdr |
| udphdr |
22 rows in set (0.00 sec)
Current database: snort
mysql> select count(*) from event;
| count(*) |
| 75 |
1 row in set (0.00 sec)
yet Base shows nothing at all.