alerts have NOT found their way into acid_eve

BASE-user
2010-03-05
2013-06-03
  • Mateo De Vaca
    Mateo De Vaca
    2010-03-05

    I am receiving this error at random times.  It doesn't happen often, but I am not sure how to approach fixing this error message.

    Any assistance would be appreciated.

    /var/www/html/base/includes/base_cache.inc.php:776: ERROR:
    3 alerts have NOT found their way into acid_event with sid = 5

    /var/www/html/base/includes/base_cache.inc.php:521: ERROR: Alert "5 - 118867" could NOT be found in acid_event.

    /var/www/html/base/includes/base_cache.inc.php:521: ERROR: Alert "5 - 118868" could NOT be found in acid_event.

    /var/www/html/base/includes/base_cache.inc.php:521: ERROR: Alert "5 - 118871" could NOT be found in acid_event.

    /var/www/html/base/includes/base_cache.inc.php:521: ERROR: Alert "5 - 118872" could NOT be found in acid_event.

    /var/www/html/base/includes/base_cache.inc.php:521: ERROR: Alert "5 - 118873" could NOT be found in acid_event.

    /var/www/html/base/includes/base_cache.inc.php:521: ERROR: Alert "5 - 118876" could NOT be found in acid_event.

    /var/www/html/base/includes/base_cache.inc.php:521: ERROR: Alert "5 - 118877" could NOT be found in acid_event.

    /var/www/html/base/includes/base_cache.inc.php:521: ERROR: Alert "5 - 118879" could NOT be found in acid_event.

    Thank You
    M

     
  • Mateo De Vaca
    Mateo De Vaca
    2010-03-05

    After some further research, I have been able to narrow down the cause of the errors listed above. It appears that BASE does not know how to handle these errors:

    2010-03-05 14:35:06 Auth.Alert xx.xx.xx.xx Mar  5 14:35:06 gun3sn1 snort: (spp_arpspoof) Unicast ARP request
    2010-03-05 14:36:13 Auth.Alert xx.xx.xx.xx Mar  5 14:36:13 gun3sn1 snort: (spp_arpspoof) Unicast ARP request

    Any Help is appreciated!

    Thanks in advance.

     
  • (…) spp_arpspoof (…)

    This is interesting. Would it be possible for you, to provide me with a *.pcap file of this kind of alerts? So that I could replay them in one way or the other? arpspoof, well… From the snort database this pcap can presumably not be gained, because it is a preprocessor alert. But maybe you have logged this by means of a different sniffer?

    When fixing the preprocessor alert issue for BASE version 1.4.2 I assumed, that at least those alerts with the spp prefix
    were processed in the correct manner. But I was not fully sure. Therefore I added a check routine, which has indeed
    been triggered in your case…

    Bye, bye

    Juergen

     
  • Mateo De Vaca
    Mateo De Vaca
    2010-03-06

    I can indeed get a sniff, the only problem is that it is random and I really don't want to let a sniffer run and get everything.

    As it is an arpspoof event, I presume it is an arp of some sort, do you need only ARP data?

    Thanks,
    Matthew

     
  • Mateo De Vaca
    Mateo De Vaca
    2010-03-09

    I ran a sniff and found what is triggering the event.  On my network, a 192.168.12.x you can see ARP requests as one would normally see.  Every now and then we see a computer called 10.12.1.123 sending out ARP requests for 10.12.1.1 (I presume its default gateway.)  This is a mis-configured workstation.

    I don't think that a packet capture would give you what you are looking for as Snort would need to be configured with the same $HOME and other network configurations.

    It may be easier to setup a computer on the Local snort network that be on a different subnet…

    M

     
  • Daniel Melo
    Daniel Melo
    2010-03-09

    Hi all,

    This is my first post in Base forum.

    I'm having the same problem, with Base 1.4.5.

    The alert not properly handled by Base is spp_arpspoof: Directed ARP Request.

    gen-msg.map shows that the generator id for this alert is 112  and alert id is 1, but the signature table shows a different information.

    +-----+------------------------+---------+---------+------+------+------+
    | sig_id | sig_name                           | sig_class_id | sig_priority | sig_rev | sig_sid | sig_gid |
    +-----+------------------------+---------+---------+------+------+------+
    |    417 | spp_arpspoof: Directed ARP Request |           51 |            3 |       0 |       1 |    NULL |
    +-----+------------------------+---------+---------+------+------+------+

    Is this behaviour correct?

     
  • Hello Matthew,

    you are right, I don't need a capture. In the meantime I have managed to trigger some spp_arpspoof alerts. And I do not get any error messages. Everything works perfectly for me.

    And what is the main difference between my computer and yours?

    Maybe this: I am a happy FLoP user. I have been one for years, and I do not use barnyard or barnyard2.

    http://www.geschke-online.de/FLoP/

    How do  you fill your database?

    Bye, bye

    Juergen

     
  • Mateo De Vaca
    Mateo De Vaca
    2010-03-10

    I am a happy Barnyard2 user.  Snort logs to Unified2 format.  Barnyard takes the Unified2 format files and ports them to mySQL where BASE is then configured to access the database and to present the logs.

     
  • Hello damelo,

    no, it is not correct. In my database, there is a value of 112 for sig_gid. However, I am not sure, whether right this is
    the deeper reason for the error messages. At least in includes/base_cache.inc.php this column is not important.

    Could you please increase $debug_mode to 1 or 2 in base_conf.php?

    Maybe this reveals additional error messages?

    Bye, bye

    Juergen

     
  • Matthew,

    do the errors appear, when you have snort fill the database directly? Via the mysql output plugin?
    Maybe you can change this for testing purposes and only for some time.

    Bye, bye

    Juergen

     
  • Mateo De Vaca
    Mateo De Vaca
    2010-03-11

    I just did it and immediatly the event was in BASE.
    (spp_arpspoof) Unicast ARP reques