Help save net neutrality! Learn more.

BASE didn't show Snort's log/alert record

  • rachmat_hidayat

    rachmat_hidayat - 2008-04-27

    Hi all :)

    After installing BASE 1.3.9 on my OpenBSD 4.2 box, BASE didn't show anything
    on its main page. I have Snort and Barnyard configured well to managing
    Snort's output to the MySQL database. To make me sure, I issuing this

    # echo "SELECT count(*) FROM event" | mysql snort_db

    The result showing me that database have the Snort's log/alert in there
    (in my case, its stores about 4290 record).

    The BASE configuration file (base-conf.php) have this set:
        > $BASE_urlpath = '/base';
        > $DBlib_path = '/var/www/adodb';
        > $alert_dbname   = 'snort';
        > $alert_host     = 'localhost';
        > $alert_port     = '';
        > $alert_user     = 'snort';
        > $alert_password = 'snortpass';
        > $base_style = 'base_red_style.css';
        > $colored_alerts = 1;

    Everything looks "fine", but, actually it isn't.

    What should I do?

    Thanks in advance

    • Kevin Johnson

      Kevin Johnson - 2008-04-27


      First, I would upgrade to 1.4.0 which fixes a number of bugs.

      When you say it didn't display anything, do you mean a blank screen or that it did not list any alerts?


    • rachmat_hidayat

      rachmat_hidayat - 2008-04-28

      Yep, I will upgrade BASE to newer version for soon ;)

      I mean BASE didn't list any alerts on its main page.
      I think I know where the problem is, but I am not
      quite sure about this. Um, I am using Barnyard to directly
      insert Snort's output to MySQL database. I set the sensor_id
      value to '1'. But when I dump the table, there is nothing
      to be shown in snort.sensor id's table. Is it true that
      Barnyard didn't inserting any value to snort.sensor id's
      table? only Snort does??

      Is my analysis correct sir? if it correct, then is it
      means that I have to manually inserting the id's of
      my sensor machine? If my analysis is wrong, then
      whats wrong? and how to solve this kind of problem.

      Thanks in advance
      Matt B-)

    • rachmat_hidayat

      rachmat_hidayat - 2008-05-03

      Replying my own post,

      To solving this kind of problem, all I have done is:
      - I just recompile snort with "--with-mysql-includes"
        and "--with-mysql-libraries"

      when I try to :
      # echo "select * from sensor" | mysql snort_db

      Its giving me a feedback the number of existing sensor:
      sid   hostname      interface    filter  detail  encoding   last_cid
      1   pcn0  NULL   1       0       6988

      And yes, Barnyard can't insert any value to snort.sensor id's 
      table. After this, BASE can now work with no problem.

      Thanks in advance
      Case closed



Log in to post a comment.