base not showing all alerts

BASE-user
briskoli
2008-11-05
2013-06-03
  • briskoli

    briskoli - 2008-11-05

    I have two snort sensors setup on Debian feeding to mysql via barnyard.  Alerts from both sensors showing in alerts log but the Base only shows the sensors of the most recent snort/barnyard sensor config started.  Shows both sensors correctly in sensors table.

    If I start sensor on eth1 - those alerts show up correctly in base.  Then if I start sensor on eth2 those alerts show up but the new ones for eth1 no longer how up unless I restart it.

    All alerts are in mysql and in alert log.

    Any help appreciated.

    briskoli

     
    • briskoli

      briskoli - 2008-11-06

      As an update - what I am seeing is both sensors showing up in Base but when it writes whichever sensor alerts for the one I most recently restarted it shows up under sensors as those alerts for both sensors.

      For examples here are the listings from the sensors section.  It is showing the same alerts for both sensors even though they only came in on eth1.  None of the alerts in the dbase or alert log for eth2 are showing up in Base.

      3      xxxx:eth1:not port 22      10      6      2      3      2008-11-06 10:09:26      2008-11-06 10:13:55
          5     xxxx:eth2:not port 22     10     6     2     3     2008-11-06 10:09:26     2008-11-06 10:13:55

       
    • briskoli

      briskoli - 2008-11-06

      Sorry, finally figuring out the issue.  Barnyard is only writing whichever sensor was last started to dbase that is why base is not seeing it.  Need to fix my barnyard - I have both sensors writing to same alert and log files and was using same bylog.waldo file but maybe can't do that.

       
      • Juergen Leising

        Juergen Leising - 2008-12-18

        Hello briskoli,

        as an alternative to barnyard you could give FLoP a try:

        http://www.geschke-online.de/FLoP/

        Bye, bye

        Juergen

         

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks