Hello! I am a new user to BASE and am setting it up for first time use. I am using version 1.3.6; Snort version 126.96.36.199, Barnyard version 0.2.0, and Apache 1.3.37.
I have Snort writing to log files and Barnyard reading the log files and posting to the 'snort' database set up in MySQL. This appears to be working - I see the log file growing and the # of entries in the 'event' table of the 'snort' database continues to increase.
I DO NOT have Snort writing any logs or alerts to the database at all - I commented out the following options in my snort.conf file:
# output database: log, mysql, user=snort password=mypass dbname=snort host=localhost
# output database: alert, mysql, user=snort password=mypass dbname=snort host=localhost
The following tables are EMPTY in my database: acid_ag, acid_ag_alert, acid_event, acid_ip_cache, base_users, opt, sensor, and signature.
In my 'base_conf.php' I have the following parameters configured:
One thing that I did notice is that when I logged into the BASE page, the Database ('Database: snort@localhost (Schema Version: 107)') was set to snort_archive@localhost instead of snort@localhost....I simply went into the conf file (the archive_exists parameter was already set to 0!) and configured all the 'archive_' parameters to the same as above & then restarted Apache, Snort, and Barnyard.
But, that didn't help - I still cannot get any results from the database.
- Today's alerts: unique listing Source IP Destination IP
- Last 24 Hours alerts: unique listing Source IP Destination IP
- Last 72 Hours alerts: unique listing Source IP Destination IP
- Most recent 15 Alerts: any protocol TCP UDP ICMP
- Last Source Ports: any protocol TCP UDP
- Last Destination Ports: any protocol TCP UDP
- Most Frequent Source Ports: any protocol TCP UDP
- Most Frequent Destination Ports: any protocol TCP UDP
- Most frequent 15 Addresses: Source Destination
- Most recent 15 Unique Alerts
- Most frequent 5 Unique Alerts
Queried on : Wed June 06, 2007 09:51:39
Database: snort@localhost (Schema Version: 107)
Time Window: no alerts detected
Sensors/Total: 0 / 0
Unique Alerts: 0
Total Number of Alerts: 0
* Src IP addrs: 0
* Dest. IP addrs: 0
* Unique IP links 0
Source Ports: 0
o TCP ( 0) UDP ( 0)
* Dest Ports: 0
o TCP ( 0) UDP ( 0)
Traffic Profile by Protocol
Portscan Traffic (0%)
Any thoughts on what is missing here and how I can fix it??
Thanks in advance for your time and help! It is GREATLY appreciated. Please let me know if I can provide any additional information.