Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

The acid_event table and Base UI are empty.

BASE-user
John Hoyt
2009-05-20
2013-06-03
  • John Hoyt
    John Hoyt
    2009-05-20

    Hello all,

    I'm working with snort.2.8.4.1, barnyard2, and Base-1.4.2.  Snort and Barnyard are working correctly in that events are being logged to the events table in my snort db.  I'm not getting any events listed on the BASE UI, and the acid_event table is empty. 

    I've tried dropping the snort db, and recreating it with both schemas.  The sensor is showing up correctly in the db and the UI. 

    When I check the httpd/error_log I get this message:
    PHP Notice:  Undefined variable: debug_mode in /var/www/html/base/includes/base_cache.inc.php on line 475, referer: http://130.127.241.144/base/base_db_setup.php

    Which is the function:
    // Now commit all those SQL commands
      for ( $i = 0; $i < $update_cnt; $i++ )
      {
        if ($debug_mode > 0)
        {
          $mystr = '<BR>' . __FILE__ . ':' . __LINE__ . ": <BR>\n$update_sql[$i] <BR><BR>\n\n";
          echo $mystr;
        }

        $db->baseExecute($update_sql[$i]);

        if ( $db->baseErrorMessage() != "" )
           ErrorMessage(_ERRCACHEERROR." ["._SENSOR." #$sid]["._EVENTTYPE." $i]".
                          " "._ERRCACHEUPDATE);

      }

    With the error on line:

    if ($debug_mode > 0)

    Any help or direction on this is greatly appreciated.

    Thanks

     
    • Hello John,

      many thanks for your precise report.  I have fixed this issue in CVS.  You have now two options:

      1. You change this in includes/base_cache.inc.php and add "GLOBAL $debug_mode;":

      202 function CacheSensor($sid, $cid, $db)
      203 /*
      204   Caches all alerts for sensor $sid newer than the event $cid
      205  */
      206 {
      207   GLOBAL $debug_mode;
      208
      209
      210   $schema_specific = array(2);
      211
      212   $schema_specific[0] = "";
      213   $schema_specific[1] = "";
      214   $schema_specific[2] = "";

      2. Or you download the CVS version of BASE, as described at

      https://sourceforge.net/cvs/?group_id=103348

      BASE will then be found under base-php4.

      However, I have some doubts, whether this really resolves your actual problem.  Usually one can ignore those "Notice" messages in php.  So I would prefer you give the CVS version of BASE a try, as it contains a tiny modification against BASE-1.4.2 - beyond this debug_mode issue.

      I would have thought, I had fixed the discrepancy problem between the event table and the acid_event table. At least, clear error messages should show up, whenever an entry of the event table does not find its way into the acid_event table.

      Are there any hints in the database logs?

      Please note: BASE does not move "old" events from the event table into the acid_event table.
      Only the new ones.

      Bye, bye

      Juergen