No Snort events visible

204 views
Skip to first unread message

Florian Keclik

unread,
Mar 14, 2013, 4:34:07 AM3/14/13
to aan...@googlegroups.com

I’m trying to get Aanval to display events from Snort and I believe I am almost there. Aanval sees the Sensor and things seem to work (see screenshots).

 

  

It can display events from the Aanval console and both sensors are active. I have 2 active sensors one from Aanval and one from Snort. I know the trial license only supports one sensor but even when I turn off the Aanval sensor I can’t see the events from Snort.

 


 













Barnyard is writing events in the db:


 








The interesting thing is probably the error.log which is full with lines like this:

Mar 13 09:01:09 [ERROR] [10.50.5.12] [root : 1] MySQL Query Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') ORDER BY mas.id DESC LIMIT 10' at line 1

Mar 13 09:01:09 [ERROR] [10.50.5.12] [root : 1] MySQL Query Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') GROUP BY created ORDER BY created' at line 1

Mar 13 09:01:09 [ERROR] [10.50.5.12] [root : 1] MySQL Query Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 1

Mar 13 09:01:09 [ERROR] [10.50.5.12] [root : 1] MySQL Query Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') AND timestamp >= 1363164669' at line 1

Mar 13 09:01:09 [ERROR] [10.50.5.12] [root : 1] MySQL Query Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') AND timestamp >= 1363161669' at line 1

Mar 13 09:01:09 [ERROR] [10.50.5.12] [root : 1] MySQL Query Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') AND timestamp >= 1363132800' at line 1

Mar 13 09:01:09 [ERROR] [10.50.5.12] [root : 1] MySQL Query Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') ORDER BY mas.id DESC LIMIT 15' at line 1

Mar 13 09:06:09 [ERROR] [10.50.5.12] [root : 1] MySQL Query Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') ORDER BY mas.id DESC LIMIT 10' at line 1

Mar 13 09:06:09 [ERROR] [10.50.5.12] [root : 1] MySQL Query Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') GROUP BY created ORDER BY created' at line 1

Mar 13 09:06:09 [ERROR] [10.50.5.12] [root : 1] MySQL Query Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 1

Mar 13 09:06:09 [ERROR] [10.50.5.12] [root : 1] MySQL Query Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') AND timestamp >= 1363164969' at line 1


To test the SQL statements I run some select statements form the debug.log directly in mysql and they run just fine without a problem. I tried those that invoke the timestamp command as the timestamp seems to be a problem according to the error.log.

Can it be a versioning issue? I'm running Aanval SAS v7.1 (70142) and MySQL Ver 14.14 Dist 5.5.30 x86_64. 

Any help is greatly appreciated!

Eric Smith

unread,
Mar 14, 2013, 5:08:09 AM3/14/13
to aan...@googlegroups.com
The user permissions are enabled for the admin account, but there is a second account created; from the screenshot it looks like "New Account." Also from that screenshot it shows that that new user is logged in and the user permissions are not enabled. Check the box for those user permissions on that sensor and the events will be displayed. 

Sent from my iPhone
--
You received this message because you are subscribed to the Google Groups "Aanval - Snort & Syslog SIEM (Correlation and Threat Management)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to aanval+un...@googlegroups.com.
To post to this group, send email to aan...@googlegroups.com.
Visit this group at http://groups.google.com/group/aanval?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

Florian Keclik

unread,
Mar 14, 2013, 5:33:08 AM3/14/13
to aan...@googlegroups.com
I already tried that. When I just had the root account Aanval didn't offer the user permission settings so I added the "New Account". This gave me the user permissions but enabling them doesn't show events either.

Florian Keclik

unread,
Mar 15, 2013, 5:21:38 AM3/15/13
to aan...@googlegroups.com
I got it working.
I have two snort sensors because of initial configuration issues with Barnyard. Of course I selected the wrong sensor to be displayed in Aanval...

Thanks for your help.
Reply all
Reply to author
Forward
0 new messages