BASE Not Displaying Anything

BASE-user
j_g
2007-06-06
2013-06-03
  • j_g
    j_g
    2007-06-06

    Hello! I am a new user to BASE and am setting it up for first time use. I am using version 1.3.6; Snort version 2.6.1.5, Barnyard version 0.2.0, and Apache 1.3.37.

    I have Snort writing to log files and Barnyard reading the log files and posting to the 'snort' database set up in MySQL.  This appears to be working - I see the log file growing and the # of entries in the 'event' table of the 'snort' database continues to increase.

    I DO NOT have Snort writing any logs or alerts to the database at all - I commented out the following options in my snort.conf file:
    # output database: log, mysql, user=snort password=mypass dbname=snort host=localhost
    # output database: alert, mysql, user=snort password=mypass dbname=snort host=localhost

    The following tables are EMPTY in my database: acid_ag, acid_ag_alert, acid_event, acid_ip_cache, base_users, opt, sensor, and signature.

    In my 'base_conf.php' I have the following parameters configured:
    $alert_dbname  ='snort';
    $alert_host    ='localhost';
    $alert_port    ='';
    $alert_user    ='snort';
    $alert_password='mypass';

    One thing that I did notice is that when I logged into the BASE page, the Database ('Database: snort@localhost    (Schema Version: 107)') was set to snort_archive@localhost instead of snort@localhost....I simply went into the conf file (the archive_exists parameter was already set to 0!) and configured all the 'archive_' parameters to the same as above & then restarted Apache, Snort, and Barnyard.

    But, that didn't help - I still cannot get any results from the database.

    - Today's alerts:      unique      listing      Source IP      Destination IP
    - Last 24 Hours alerts:     unique     listing     Source IP     Destination IP
    - Last 72 Hours alerts:     unique     listing     Source IP     Destination IP
    - Most recent 15 Alerts:     any protocol     TCP     UDP     ICMP
    - Last Source Ports:     any protocol     TCP     UDP
    - Last Destination Ports:     any protocol     TCP     UDP
    - Most Frequent Source Ports:     any protocol     TCP     UDP
    - Most Frequent Destination Ports:     any protocol     TCP     UDP
    - Most frequent 15 Addresses:     Source     Destination
    - Most recent 15 Unique Alerts
    - Most frequent 5 Unique Alerts

    Queried on  : Wed June 06, 2007 09:51:39
    Database: snort@localhost    (Schema Version: 107)
    Time Window: no alerts detected

    Sensors/Total: 0 / 0
    Unique Alerts: 0
    Categories: 0
    Total Number of Alerts: 0

        * Src IP addrs: 0
        * Dest. IP addrs: 0
        * Unique IP links 0
        *

          Source Ports: 0
        *
              o TCP ( 0)  UDP ( 0)
        * Dest Ports: 0
        *
              o TCP ( 0)  UDP ( 0)

        Traffic Profile by Protocol
    TCP (0%)   

    UDP (0%)   

    ICMP (0%)   

    Portscan Traffic (0%)

    Any thoughts on what is missing here and how I can fix it??

    Thanks in advance for your time and help!  It is GREATLY appreciated.  Please let me know if I can provide any additional information.
    -jg

     
    • joesavage
      joesavage
      2007-06-06

      I had a similiar problem logging to a remote MySQL DB. In your barnyard.conf and your database, you must define the sensor.

      In barnyard.conf on the "output log_acid_db..." line, there is a parameter called "sensor_id". Set it to a numeric value if it doesn't exist. Let's set it to '2'...

      Next, in the DB, look at the snort.sensor table. If you dump the contents, you should see something like this:
      +-----+----------------+-----------+--------+--------+----------+----------+
      | sid | hostname       | interface | filter | detail | encoding | last_cid |
      +-----+----------------+-----------+--------+--------+----------+----------+
      |   2 | localhost:eth1 | eth1      | NULL   |      1 |        0 |  1845320 |
      +-----+----------------+-----------+--------+--------+----------+----------+
      1 rows in set (0.00 sec)

      If there are no entries in snort.sensor, you must add it manually. The "sensor_id" from barnyard.conf must match snort.sensor.sid. I'm not sure what part of the installation process that adds this, but my DB server does not have Snort installed so I had to set it up manually. When I install additional sensors, I'll adjust my barnyard.conf and snort.sensor table as needed.

      Hope this helps,
      Joe

       
      • j_g
        j_g
        2007-06-07

        Thanks for the reply! After much trial and error yesterday, I tracked this down to the sensor as well, so it's good to know I was on the right track!

        So, I tried a couple of different things (have not altered the table manually yet, but will do that if I absolutely need to...).  But I found a few interesting things in my 'experimenting' that I'm wondering might help narrow it down:

        In response to your suggestions:
        - In my barnyard.conf, the 'sensor_id' is set to '1', so that is OK.
        - With my current setup (Snort writing to log files and Barnyard reading log files and logging to DB) in the DB, the snort.sensor table is empty.

        I'm starting Snort with the following command line: "snort -c /etc/snort/snort.conf -i eth0 -l /var/log/snort -D" and Barnyard with: "barnyard -c /etc/snort/barnyard.conf -s /etc/snort/sid-msg.map -g /etc/snort/gen-msg.map -p /etc/snort/classification.config -d /var/log/snort -f snort-unified.log -X /var/run/snort/by.pid -w /var/log/snort/barnyard.waldo -D"

        Remember, that when I have them running together, the 'output database' parameters are commented out in the Snort conf file and the sensor information is not being logged to the DB.

        So, I shut both Snort and Barnyard down, uncommented the 'output database' parameters, having Snort log to the DB - and when I queried my sensor table, the following info was in there:

        mysql> select * from sensor;
        +-----+---------------+-----------+--------+--------+----------+----------+
        | sid | hostname      | interface | filter | detail | encoding | last_cid |
        +-----+---------------+-----------+--------+--------+----------+----------+
        |   1 | 208.28.89.253 | eth0      | NULL   |      1 |        0 |      158 |
        +-----+---------------+-----------+--------+--------+----------+----------+
        1 row in set (0.00 sec)

        And, when I log into BASE, I'm getting data!! However, I'm not using Barnyard like I want to be at this point. =(

        Added 178 alert(s) to the Alert cache
        Queried on : Thu June 07, 2007 03:23:01
        Database: snort@localhost    (Schema Version: 107)
        Time Window: [2007-06-06 11:33:57] - [2007-06-07 03:22:20]

        Sensors/Total: 1 / 1
        Unique Alerts: 4
        Categories: 3
        Total Number of Alerts: 178

            * Src IP addrs: 4
            * Dest. IP addrs: 3
            * Unique IP links 4
            *

              Source Ports: 18
            *
                  o TCP ( 1)  UDP ( 17)
            * Dest Ports: 2
            *
                  o TCP ( 1)  UDP ( 1)

            Traffic Profile by Protocol
        TCP (17%)   
             
        UDP (82%)   
             
        ICMP (1%)   
             
        Portscan Traffic (0%)    

        So, any thoughts on why this info doesn't get posted to the DB when running Snort and Barnyard together or if I'm missing something that will enable this without having to manually alter my database and/or files??

        Thanks so much for your time and expertise!!
        -jg

         
        • joesavage
          joesavage
          2007-06-07

          Snort will write to the sensor table. Barnyard apparently does not. Now that the sensor record exists, try switching back to Barnyard and it should work OK.

          If you're going to log from more sensors, you can either set their sensor ID to 1 (you won't be able to differentiate your sensors in BASE), manually add the sensor record with the sid (preferred...don't forget to update the sensor_id in barnyard.conf on the new sensor), or do a funky dance with the original Snort by changing the sensor_id in snort.conf/log direct to DB/switch back to barnyard (yuk!).

          Manually adding the record is not terribly difficult from the command line in MySQL. If you've gotten this far with Snort/Barnyard/MySQL/BASE/+additional packages you can do it! At worst you'll add a record that doesn't work. You can always delete it. I'm a SQL noob and used "Teach Yourself SQL in 10 Minutes" as a reference but you should be able to find something on the WWW.

          Joe

           
          • j_g
            j_g
            2007-06-07

            Thanks for the follow-up Joe!

            I ended up adding the record to the 'sensor' table, and now everything is playing nicely. =)  Thank you so much for the tidbit!

            OK, so I'm onto adding another sensor logging from a different server than the 'localhost' (but snort DB is located on localhost)...I'm opting for "manually add the sensor record with the sid" - so I insert the info into the sensor table like I did with the last one, just using new sensorID - let's say sid of '2', and then add new entries into the 'barnyard.conf' file for the new sid, so I'll have the following in my conf file?:

            output alert_acid_db: mysql, sensor_id 1, database snort, server localhost, user snort, password mypass, detail full
            output log_acid_db: mysql, sensor_id 1, database snort, server localhost, user snort, password mypass, detail full
            output alert_acid_db: mysql, sensor_id 2, database snort, server localhost, user snort, password mypass, detail full
            output log_acid_db: mysql, sensor_id 2, database snort, server localhost, user snort, password mypass, detail full

            Also, I have a question regarding how I'm running Snort and Barnyard if you don't mind - because I'm not sure if its doing quite what I want it to based on the log files that it's generating... 

            I'm running Snort with: "snort -c /etc/snort/snort.conf -D -i eth0 -l /var/log/snort -A fast" which creates a 'snort-unified.log.##########' and 'alert' file & Barnyard with "barnyard -c /etc/snort/barnyard.conf -s /etc/snort/sid-msg.map -g /etc/snort/gen-msg.map -p /etc/snort/classification.config -d /var/log/snort -f snort-unified.log -X /var/run/snort/by.pid -w /var/log/snort/barnyard.waldo -D" that creates 'snort-ascii.log' and 'barnyard.waldo' in the /log directory.  I'm questioning this because I'm not sure why Barnyard is creating the 'snort-ascii.log' file...

            And, if I try to run Snort in the binary and fast mode with Barnyard, (-b -A fast), which is recommended with Barnyard, Snort writes to 'snort.log.######, even though I have 'snort-unified.log' specified in my 'output log_unified' log file parameter and Barnyard won't even start with Snort in this mode!  So, even though its currently 'working' it's still not running quite like I'd like it too.

            Thanks SO much for your time and help!!
            -jg

             
            • joesavage
              joesavage
              2007-06-07

              It looks OK to me but you'll only want lines 3 & 4 in your new sensor's barnyard.conf.

              Sorry, I can't help you much on your question. I don't have a snort-ascii.log file and I've never tried running the "-b -A fast" options. If you run Snort with no options, it says that -b outputs in tcpdump format and I haven't looked into tcpdump. Maybe there's another option in BY to read the log files in that format. Maybe you can get a better answer on the snort.org forums.

               
              • j_g
                j_g
                2007-06-07

                OK, THANKS for all of your help, I really appreciate it!! =)

                I've posted a few different things on snort's forum, but never get any replies, so I just thought I'd take a stab and ask on here if anyone's seen what I'm seeing or running with a similar setup and could help me out.

                But, no difference.  Thanks again for all of your time and help!

                Have a great weekend!
                -jg