BASE / Support Requests / #9 BASE with OSSEC

#9 BASE with OSSEC

Milestone: 2.0x

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2009-10-01

Created: 2009-10-01

Creator: Keith Pachulski

Private: No

I`m hoping someone here can help me with an issue I`m having with BASE and OSSEC. I have alerts from OSSEC going into BASE, but I`m unable to from original code archive OSSEC alerts.

After some tinkering and asking questions on the OSSEC forums one suggestoin was to change a line in the base_action.inc.php as follows:

original

$sql = "INSERT INTO data (sid,cid, data_payload) VALUES ";
$sql.= "($sid, $cid, '".$tmp_row[0]."')";

modified

$sql = "INSERT INTO data (sid,cid, data_payload) VALUES ";
$sql.= "($sid, $cid, '".mysql_real_escape_string($tmp_row[0])."')";

After making this change I was able to archive the OSSEC alerts via BASE, however. Since doing so I am now unable to view any alerts in the archive database. The test alert I tried archiving was copied from the snort database to the snort_archive database which I verified manually:

mysql> use snort;

Database changed
mysql> select * from data where cid=118815;
+-----+--------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| sid | cid | data_payload |
+-----+--------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 40 | 118815 | ** Alert 1254423242.4059666: - apache,unknown_resource,
2009 Oct 01 14:54:02 somewebsite-webserver -> /var/log/httpd/error_log
Rule: 30112 (level 5) -> 'Attempt to access an non-existent file.'
Src IP: (174.129.87.154)
User: (none)
[Thu Oct 01 14:53:51 2009] [error] [client 174.129.87.154] File does not exist: /home/h/http073/somewebsite/iphone |
+-----+--------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.09 sec)

Using BASE then copied the alert from the snort database to the snort_archive database

mysql> use snort_archive;

Discussion

Kevin Johnson - 2009-10-01

I can try to help you, but I would need more information. Is there a log message when you try to view archived alerts? What type of data is being stored?

I moved this from a bug report to a support request because it really isn't a bug in BASE.

Feel free to email me directly if you would like.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Kevin Johnson - 2009-10-01

labels: 615361 -->

milestone: 467931 --> 2.0x
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

BASE with OSSEC

Group

Searches

Help

#9 BASE with OSSEC

Discussion