#9 BASE with OSSEC

2.0x
open
nobody
None
5
2009-10-01
2009-10-01
Keith Pachulski
No

I`m hoping someone here can help me with an issue I`m having with BASE and OSSEC. I have alerts from OSSEC going into BASE, but I`m unable to from original code archive OSSEC alerts.

After some tinkering and asking questions on the OSSEC forums one suggestoin was to change a line in the base_action.inc.php as follows:

original

$sql = "INSERT INTO data (sid,cid, data_payload) VALUES ";
$sql.= "($sid, $cid, '".$tmp_row[0]."')";

modified

$sql = "INSERT INTO data (sid,cid, data_payload) VALUES ";
$sql.= "($sid, $cid, '".mysql_real_escape_string($tmp_row[0])."')";

After making this change I was able to archive the OSSEC alerts via BASE, however. Since doing so I am now unable to view any alerts in the archive database. The test alert I tried archiving was copied from the snort database to the snort_archive database which I verified manually:

mysql> use snort;

Database changed
mysql> select * from data where cid=118815;
+-----+--------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| sid | cid | data_payload |
+-----+--------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 40 | 118815 | ** Alert 1254423242.4059666: - apache,unknown_resource,
2009 Oct 01 14:54:02 somewebsite-webserver -> /var/log/httpd/error_log
Rule: 30112 (level 5) -> 'Attempt to access an non-existent file.'
Src IP: (174.129.87.154)
User: (none)
[Thu Oct 01 14:53:51 2009] [error] [client 174.129.87.154] File does not exist: /home/h/http073/somewebsite/iphone |
+-----+--------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.09 sec)

Using BASE then copied the alert from the snort database to the snort_archive database

mysql> use snort_archive;

Database changed
mysql> select * from data where cid=118815;
+-----+--------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| sid | cid | data_payload |
+-----+--------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 40 | 118815 | ** Alert 1254423242.4059666: - apache,unknown_resource,
2009 Oct 01 14:54:02 somewebsite-webserver -> /var/log/httpd/error_log
Rule: 30112 (level 5) -> 'Attempt to access an non-existent file.'
Src IP: (174.129.87.154)
User: (none)
[Thu Oct 01 14:53:51 2009] [error] [client 174.129.87.154] File does not exist: /home/h/http073/somewebsite/iphone |
+-----+--------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

Discussion

  • Kevin Johnson
    Kevin Johnson
    2009-10-01

    I can try to help you, but I would need more information. Is there a log message when you try to view archived alerts? What type of data is being stored?

    I moved this from a bug report to a support request because it really isn't a bug in BASE.

    Feel free to email me directly if you would like.

     
  • Kevin Johnson
    Kevin Johnson
    2009-10-01

    • labels: 615361 -->
    • milestone: 467931 --> 2.0x