problem with viewing Alert

BASE-user
dkim777
2010-05-06
2013-06-03
  • dkim777
    dkim777
    2010-05-06

    I'm using snort 2.8.5 with BASE 1.4.5
    when I click on individual alert I get following errors in RED.

    Alert DELETED

    /srv/www/htdocs/base145/base_qry_alert.php:535: db->DB->MetaColumnNames('data') is NOT an array. Ignoring.

    any ideas?
    Thanks!

     
  • Brad Jorgensen
    Brad Jorgensen
    2010-07-07

    I'm having the same issue.  BASE 1.4.5, snort 2.8.6

     
  • Brad Jorgensen
    Brad Jorgensen
    2010-07-08

    I moved a copy of BASE and my snort database to a different server running PHP 5.2.5 and mysql 5.0.26, which had the same problem as my original server I was running them on with php 5.3.2 and mysql 5.1.36.  I feel confident saying that php and mysql are not part of the problem.  I saw some other posts about issues with BASE when a new version of snort is used, maybe there is an issue like that which has not been fixed yet.

     
  • Will Urbanski
    Will Urbanski
    2010-07-09

    Hello. Can you tell me a little bit more about your snort installation. Are you using the Fast Logging Project for Snort (FLoP : http://freshmeat.net/projects/flop) ? Also please confirm you have a 'data' table in your Snort DB server, and confirm that the table has some rows in it.

     
  • Brad Jorgensen
    Brad Jorgensen
    2010-07-09

    Snort is logging directly to syslog and mysql.  There is data in every table and it does get updated when an alert is triggered.

     
  • Brad Jorgensen
    Brad Jorgensen
    2010-07-09

    The data table does have the payloads.

     
  • Will Urbanski
    Will Urbanski
    2010-07-15

    So you are getting "Alert Deleted" when you click on the alert, not delete an alert, correct? And this is occurring for ALL packets you try to view in BASE, not just a specific packet?

    The error is occurring in the portion of the code that prints the packet data to the screen. It seems that for some reason the 'data_header' field cannot be found in the `data` table. What columns are in your `data` table? A standard BASE install should read sid,cid,data_payload.

    Best,

    Will

     
  • Brad Jorgensen
    Brad Jorgensen
    2010-07-15

    It happens when I try to view any packet and I haven't deleted any.  My data table has sid, cid, and data_payload, all with appropriate entries.  There is no data_header column.  I added the plain text of the page below.

    Basic Analysis and Security Engine (BASE)
    Home  |   Search  
    [ Back ]
     Queried on : Thu July 15, 2010 08:21:22
    Meta Criteria   time >= [ 07 / 15 / 2010 ] [ any time]
      ...Clear...  
    IP Criteria        any   
    Layer 4 Criteria       none
    Payload Criteria       any   
    Alert #0
    [ First ]    
    Alert DELETED
        Meta    
        ID #    Time    Triggered Signature
        2 - 152         
        Sensor  Sensor Address  Interface   Filter
             none    none 
        Alert Group       none 
        /srv/www/htdocs/base_qry_alert.php:535: db->DB->MetaColumnNames('data') is NOT an array. Ignoring.
        bool(false)
        Payload
        Plain Display
        Download of Payload
        /srv/www/htdocs/base_qry_alert.php:108: db->DB->MetaColumnNames('data') is NOT an array. Ignoring.
        #0  PrintPcapDownload(baseCon Object ([DB] => ADODB_mysql Object ([databaseType] => mysql,[dataProvider] => mysql,[hasInsertID] => 1,[hasAffectedRows] => 1,[metaTablesSQL] => SHOW TABLES,[metaColumnsSQL] => SHOW COLUMNS FROM `%s`,[fmtTimeStamp] => 'Y-m-d H:i:s',[hasLimit] => 1,[hasMoveFirst] => 1,[hasGenID] => 1,[isoDates] => 1,[sysDate] => CURDATE(),[sysTimeStamp] => NOW(),[hasTransactions] => ,[forceNewConnect] => ,[poorAffectedRows] => 1,[clientFlags] => 0,[substr] => substring,[nameQuote] => `,[compat323] => ,[_genIDSQL] => update %s set id=LAST_INSERT_ID(id+1);,[_genSeqSQL] => create table %s (id int not null),[_genSeqCountSQL] => select count(*) from %s,[_genSeq2SQL] => insert into %s values (%s),[_dropSeqSQL] => drop table %s,[database] => snort,[host] => 127.0.0.1,[user] => snort,[password] => not stored,[debug] => ,[maxblobsize] => 262144,[concat_operator] => +,[length] => length,[random] => rand(),[upperCase] => upper,[fmtDate] => 'Y-m-d',[true] => 1,[false] => 0,[replaceQuote] => \',[charSet] => ,[metaDatabasesSQL] => ,[uniqueOrderBy] => ,[emptyDate] =>  ,[emptyTimeStamp] =>  ,[lastInsID] => ,[hasTop] => ,[readOnly] => ,[genID] => 0,[raiseErrorFn] => ,[cacheSecs] => 3600,[memCache] => ,[memCacheHost] => ,[memCachePort] => 11211,[memCacheCompress] => ,[sysUTimeStamp] => ,[arrayClass] => ADORecordSet_array,[noNullStrings] => ,[numCacheHits] => 0,[numCacheMisses] => 0,[pageExecuteCountRows] => 1,[uniqueSort] => ,[leftOuter] => ,[rightOuter] => ,[ansiOuter] => ,[autoRollback] => ,[fnExecute] => ,[fnCacheExecute] => ,[blobEncodeType] => ,[rsPrefix] => ADORecordSet_,[autoCommit] => 1,[transOff] => 0,[transCnt] => 0,[fetchMode] => ,[null2null] => null,[bulkBind] => ,[_oldRaiseFn] => ,[_transOK] => ,[_connectionID] => Resource id #40,[_errorMsg] => ,[_errorCode] => ,[_queryID] => ,[_isPersistentConnection] => 1,[_bindInputArray] => ,[_evalAll] => ,[_affected] => ,[_logsql] => ,[_transmode] => ,[databaseName] => snort),[DB_type] => mysql,[DB_name] => snort,[DB_host] => 127.0.0.1,[DB_port] => ,[DB_username] => snort,[lastSQL] => SELECT data_payload FROM data WHERE sid='2' AND cid='152',[version] => 107,[sql_trace] => ), 152, 2) called at [/srv/www/htdocs/base_qry_alert.php:905]
        bool(false)
        Download in pcap format
            
          none
    [ First ]    
    ACTION
    Alert Group Maintenance  |   Cache & Status  |  Administration
    BASE 1.4.5 (lilias) (by Kevin Johnson and the BASE Project Team
    Built on ACID by Roman Danyliw )
    [Loaded in 0 seconds]
    
     
  • Will Urbanski
    Will Urbanski
    2010-07-16

    Thanks for providing that information, that is very helpful. Please try running the following SQL command and let me know what you get: SHOW COLUMNS FROM `data`

     
  • Brad Jorgensen
    Brad Jorgensen
    2010-07-16

    Output from phpMyAdmin:
    Field                     Type                     Null Key     Default Extra
    sid                        int(10) unsigned NO     PRI     NULL
    cid                        int(10) unsigned NO     PRI         NULL
    data_payload     text                            YES           NULL

     
  • Will Urbanski
    Will Urbanski
    2010-07-17

    What does this SQL command return if you run it from phpMyAdmin:

    SELECT data_payload FROM data WHERE sid='2' AND cid='152'

     
  • Brad Jorgensen
    Brad Jorgensen
    2010-07-19

    000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000A040C000000000001000000C512C68ACAB63F1E20000000

     
  • Brad Jorgensen
    Brad Jorgensen
    2010-07-27

    bump

     
  • Brad Jorgensen
    Brad Jorgensen
    2010-08-02

    bump

     
  • Brad Jorgensen
    Brad Jorgensen
    2010-08-10

    bump?

     
  • Brad Jorgensen
    Brad Jorgensen
    2010-08-16

    I only have a few days left at work this summer; does anyone have any other ideas?

     
  • kogray
    kogray
    2010-12-22

    I had the same problem with snort 2.9.0.2 / BASE 1.4.5 on SUSE 11.3.
    The solution was: Either change php.ini as follows

    mysql.allow_persistent = On

    or, change base_conf.php as follows.

    $db_connect_method = 2;

    Hope this will help.