Thread: [Secureideas-base-devel] [Secureideas-base-user] SQL Queries on acid_event sometime return no result
Brought to you by:
secureideas,
sinukas
From: Richard C. <ric...@gm...> - 2006-04-17 16:40:06
|
I have scripts that are querying the acid_event table in my Snort database and sometime they work (when I'm in the office and using BASE) and sometime= s they don't work (like on the weekends). Any idea why this would be and what I can do to make these queries work every time? I think that the acid_event database is some sort of cache database but I'm not sure. Thanks, Rich -- Thanks, Rich Compton |
From: Mordread W. <mor...@gm...> - 2006-04-17 17:53:09
|
On 4/17/06, Richard Compton <ric...@gm...> wrote: > > I have scripts that are querying the acid_event table in my Snort databas= e > and sometime they work (when I'm in the office and using BASE) and someti= mes > they don't work (like on the weekends). Any idea why this would be and wh= at > I can do to make these queries work every time? I think that the acid_eve= nt > database is some sort of cache database but I'm not sure. > Hi Rich Maybe you've setup you're BASE in order to "auto-update" alerts when browsing it (it means that new alerts will be added when someone use base). So, that's why during week days - when you use BASE front-end - your script= s work fine, and during week-end - when nobody use BASE - they don't. If I am correct, then you could use a cron job to automatically update BASE database contents (or at least load BASE before launching them...). Best regards, -- Mordread |
From: Kevin J. <kjo...@se...> - 2006-04-18 02:03:09
|
On Apr 17, 2006, at 12:39 PM, Richard Compton wrote: > > I have scripts that are querying the acid_event table in my Snort > database and sometime they work (when I'm in the office and using > BASE) and sometimes they don't work (like on the weekends). Any > idea why this would be and what I can do to make these queries work > every time? I think that the acid_event database is some sort of > cache database but I'm not sure. > > Thanks, > Rich Hi- What exactly do you mean they fail on the weekends? The only thing that I can thin is that you are only looking for new item. This table is a cache of events that BASE has worked with. If you are not using the base_maintenance.pl to cache these events and no one is actively using the BASE web interface, no new events will get cache. Kevin --------------------- BASE Project Lead http://sourceforge.net/projects/secureideas http://base.secureideas.net The next step in IDS analysis! ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 _______________________________________________ Secureideas-base-user mailing list Sec...@li... https://lists.sourceforge.net/lists/listinfo/secureideas-base-user |
From: Richard C. <ric...@gm...> - 2006-04-18 03:26:17
|
Hi guys, Yes, I'm trying to querry for new events. I think I understand now. Thanks for your help. I'm going to create a cro= n job that continually refreshes the alert cache so when my scripts run, they are querring all the events. I guess I'll try to use the base_maintenance.pl script that you are referring to. -Rich On 4/17/06, Kevin Johnson <kjo...@se...> wrote: > > On Apr 17, 2006, at 12:39 PM, Richard Compton wrote: > > > > I have scripts that are querying the acid_event table in my Snort > > database and sometime they work (when I'm in the office and using > > BASE) and sometimes they don't work (like on the weekends). Any > > idea why this would be and what I can do to make these queries work > > every time? I think that the acid_event database is some sort of > > cache database but I'm not sure. > > > > Thanks, > > Rich > > Hi- > > What exactly do you mean they fail on the weekends? The only thing > that I can thin is that you are only looking for new item. This > table is a cache of events that BASE has worked with. If you are not > using the base_maintenance.pl to cache these events and no one is > actively using the BASE web interface, no new events will get cache. > > Kevin > --------------------- > BASE Project Lead > http://sourceforge.net/projects/secureideas > http://base.secureideas.net > The next step in IDS analysis! > > > -- Thanks, Rich Compton |
From: Mordread W. <mor...@gm...> - 2006-04-18 07:01:05
|
On 4/18/06, Richard Compton <ric...@gm...> wrote: > > Hi guys, > Yes, I'm trying to querry for new events. > I think I understand now. Thanks for your help. I'm going to create a c= ron job that continually refreshes the alert cache so when my scripts run, = they are querring all the events. I guess I'll try to use the base_mainten= ance.pl script that you are referring to. > > -Rich Hi Richard, Please find below an example on howto auto-update BASE contents (using Debian GNU/Linux): If you have php4-cli (running php from command line), you can update your BASE content with the following cron (/etc/cron.d/update_base): */1 * * * * root cd /var/www/base_installation_dir/ && /usr/bin/php4 "/var/www/base_installation_dir/base_maintenance.php" > /dev/null 2>&1 Then add the following, for the "if ( $submit =3D=3D "Update Alert Cache" )" test in "base_maintenance.php" (in order to update Alerts and DNS): else { UpdateAlertCache($db); UpdateDNSCache($db); } If you don't use php4-cli, you may use curl (if you don't use BASE users management). Best regards, Mordread ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 _______________________________________________ Secureideas-base-user mailing list Sec...@li... https://lists.sourceforge.net/lists/listinfo/secureideas-base-user |
From: Richard C. <ric...@gm...> - 2006-04-18 21:00:06
|
Yep, I've got it working out of a cron job now. Thanks for your help! On 4/18/06, Mordread Wallas <mor...@gm...> wrote: > > On 4/18/06, Richard Compton <ric...@gm...> wrote: > > > > Hi guys, > > Yes, I'm trying to querry for new events. > > I think I understand now. Thanks for your help. I'm going to create a > cron job that continually refreshes the alert cache so when my scripts ru= n, > they are querring all the events. I guess I'll try to use the > base_maintenance.pl script that you are referring to. > > > > -Rich > > Hi Richard, > > Please find below an example on howto auto-update BASE contents (using > Debian GNU/Linux): > > If you have php4-cli (running php from command line), you can update > your BASE content with the following cron (/etc/cron.d/update_base): > > */1 * * * * root cd /var/www/base_installation_dir/ && /usr/bin/php4 > "/var/www/base_installation_dir/base_maintenance.php" > /dev/null 2>&1 > > Then add the following, for the "if ( $submit =3D=3D "Update Alert Cache" > )" test in "base_maintenance.php" (in order to update Alerts and DNS): > > else > { > UpdateAlertCache($db); > UpdateDNSCache($db); > } > > If you don't use php4-cli, you may use curl (if you don't use BASE > users management). > > Best regards, > Mordread > -- Thanks, Rich Compton |