No Data in Base 1.4.1

BASE-user
2009-03-27
2013-06-03
  • James Byrnes
    James Byrnes
    2009-03-27

    Hello;
    I accidentally posted this under General discussion instead of here.

    I have a fresh install of Snort 2.8.3.2 with Mysql, Barnyard, Base 1.4.1, and Ntop running on CentOS5.2. I have snort up and running with 2 NICs Eth3-monitoring and Eth1-sniffing and have followed the testing procedure posted by Juergen Leising on 2008-6-26, which is listed below(modified):

    1. Can snort detect anything ? I ran snort -vde -i eth1 -n 50
    packets received on screen.

    2. Is snort.conf syntactically correct? I ran snort -T -cc /etc/snort

    Snort successfully loaded all rules and rule chains.

    3. Can snort qualify some of the observed data as alerts?
    I ran snort in ids mode: snort -vde -i eth1 -L snort.pcap -c /etc/snort.conf -n 100

    Data received on screen

    4. Does snort trigger any alerts at all?
    looked in /var/log/messages 
    Alerts are posting and barnyard is processing them

    5. Is the database syntactically ok? I ran mysqlcheck --check snort -u snort -p 
    All checked ok

    6. Do any packets show up in mysql database?
    mysql> select * from event where timeswtamp like '%2009-03-26%';

    The responce was 1663 rows in 1 set (Data is present)

    The Base webpage is up and wants to be active but it appears to not be reading the data on sensor my Sensor/Total is 0/0 
    all data on main homepage is 0. I would like to get this up and running any assistance would be appreciated.

     
    • James Byrnes
      James Byrnes
      2009-03-29

      Issue was resolved all programs are go

       
    • Steve Tornio
      Steve Tornio
      2009-04-08

      I'm having a very similar problem with a sensor I just set up.  What was the issue for you?

       
    • Hi Steve,

      I have the same problem, posted at http://www.snort.org/reg-bin/forums.cgi?forum_id=10&topic_id=7258

      Surely, if you type "select * from snort.sensor;" at mysql console, you obtain:

      Empty set (0.00 sec)

      while "select * from snort.event;" reports a number of alerts;

      I'm not an expert but i think here is the problem. I've thought to insert manually the row in sensor table but i don't know what's the syntax and the correct values. Also i'm sure there must be a problem here because inserting that row manually doesn't appear in snort docs.

      If anybody solve this problem please post the solution....

      Thanks in advance

       
    • James Byrnes
      James Byrnes
      2009-04-14

      I could not figure it out. I ended up rebuilding my box again but focused on using i386 verdion software insetead of i686 and that brought up the missing sensor. Dont figure?

      But it is up and tunning.

      I hope this helps

       
    • Stephen Reese
      Stephen Reese
      2009-04-14

      Check out the Snort mailing list. There is a bug in Snort 2.8.4

      http://marc.info/?l=snort-users&m=123963609008372&w=2

       
      • Thanks Stephen, that calmed my minds....

         
      • Steve Tornio
        Steve Tornio
        2009-04-14

        Thanks.  This was the 5th box I'd set up, and all were identical, except that I started with 2.8.4 on the new one.  I'll monitor the mailing list for an official patch.