Snort mailing list archives
Re: R: v2.8.4 incorrect logging to MySQL: PATCH
From: Todd Wease <twease () sourcefire com>
Date: Mon, 13 Apr 2009 11:07:37 -0400
Thanks much Luigi. That is the fix. snortml () iotti biz wrote:
I'm having exactly the same problem: fresh 2.8.4 install with mysql output: sensor table never gets inserted a row. I think I have found the problem and produced a simple patch but please, revise it: I'm not a coder, and have no particular experience with snort. So I'm not sure my patch can not have some side-effecs. That said, the problem seems to be in Select() in src/output-plugins/spo_database.c , in the portion of the function used with the mysql db (I did not examine other dbs' code). This function makes a SQL SELECT and, upon success, returns the fetched value converted to integer. When it encounters an error, returns 0. But, as a special case, when the query was successfull but did not yeld any row, it returns 1. There is no distinction whether the "1" returned was because the value "1" was fetched from the DB, or simply the DB did not return any row. As a consequence, when this code is executed: data->shared->sid = Select(select_sensor_id,data); if(data->shared->sid == 0) { Insert(insert_into_sensor,data); the Select() returns 1, and the Insert() is never done. So the sensor table remains empty. My patch is just as simple as: # diff -ubB spo_database.c.orig spo_database.c --- spo_database.c.orig 2009-04-13 16:03:49.000000000 +0200 +++ spo_database.c 2009-04-13 15:59:53.000000000 +0200 @@ -2798,6 +2798,14 @@ { result = atoi(data->m_row[0]); } + else + { + result = 0; + } + } + else + { + result = 0; } } mysql_free_result(data->m_result); I simply return 0 (false) if the query was technically successfull, but no result was found. As I said, I would like some expert to revise the patch, since I don't know if in ALL SITUATIONS it is right to return 0 (just like there was an error) when we have no value returned. I'm just sure it's better to return 0 than 1. Cheers LuigiDa: Danny Paul [mailto:JDPAUL () GoColumbiaMO com]I verified as well that no inserts were being made into the signatures or sensors table. Matt, seeing as how you work for sourcefire, are you submitting this as a bug request on our behalf, or do I need to do that?On 4/11/2009 at 5:11 PM, in message<665172f40904111511r29d51a9bha360b839e3239e0b () mail gmail com>, <rsreese () gmail com> wrote:On Sat, Apr 11, 2009 at 3:16 PM, Matt Watchinski <mwatchinski () sourcefire com> wrote:Turn on mysql query logging and see if snort its trying toinsert tothose tables. It doesn't looks like much changed in spo_database.c Cheers, -mattHere's a couple of queries from a ping that Snort picked upon. Thereare still no values appearing in the signature or sensor tables. 22 Query INSERT INTO data (sid,cid,data_payload) VALUES(1,80,'9614E149E973090008090A0B0C0D0E0F101112131415161718191A1 B1C1D1E1F202122232425262728292A2B2C2D2E2F3031323334353637') 22 Query COMMIT 22 Query BEGIN 22 Query SELECT sig_id FROM signature WHERE sig_name = 'ICMP PING' AND sig_rev = 5 AND sig_sid = 384 AND sig_gid = 1 22 Query INSERT INTO event (sid,cid,signature,timestamp) VALUES (1, 81, 1, '2009-04-1118:07:20')22 Query INSERT INTO icmphdr (sid, cid, icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) VALUES (1,81,8,0,63192,44111,2) 22 Query INSERT INTO iphdr (sid, cid, ip_src, ip_dst, ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off, ip_ttl, ip_proto, ip_csum) VALUES (1,81,2886730504,2886730242,4,5,0,84,0,0,0,63,1,56958) 22 Query INSERT INTO data (sid,cid,data_payload) VALUES(1,81,'9614E149E973090008090A0B0C0D0E0F101112131415161718191A1 B1C1D1E1F202122232425262728292A2B2C2D2E2F3031323334353637') 22 Query COMMIT 090411 18:07:21 22 Query BEGIN 22 Query SELECT sig_id FROM signature WHERE sig_name = 'ICMP PING BSDtype' AND sig_rev = 6AND sig_sid= 368 AND sig_gid = 1 22 Query INSERT INTO event (sid,cid,signature,timestamp) VALUES (1, 82, 1, '2009-04-1118:07:21')22 Query INSERT INTO icmphdr (sid, cid, icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) VALUES (1,82,8,0,45018,44111,3) 22 Query INSERT INTO iphdr (sid, cid, ip_src, ip_dst, ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off, ip_ttl, ip_proto, ip_csum) VALUES (1,82,2886730504,2886730242,4,5,0,84,0,0,0,64,1,56702) 22 Query INSERT INTO data (sid,cid,data_payload) VALUES(1,82,'9714E1492F71090008090A0B0C0D0E0F101112131415161718191A1 B1C1D1E1F202122232425262728292A2B2C2D2E2F3031323334353637') 22 Query COMMIT 22 Query BEGIN 22 Query SELECT sig_id FROM signature WHERE sig_name = 'ICMP PING *NIX' AND sig_rev = 7 ANDsig_sid =366 AND sig_gid = 1 22 Query INSERT INTO event (sid,cid,signature,timestamp) VALUES (1, 83, 1, '2009-04-1118:07:21')22 Query INSERT INTO icmphdr (sid, cid, icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) VALUES (1,83,8,0,45018,44111,3) 22 Query INSERT INTO iphdr (sid, cid, ip_src, ip_dst, ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off, ip_ttl, ip_proto, ip_csum) VALUES (1,83,2886730504,2886730242,4,5,0,84,0,0,0,64,1,56702) 22 Query INSERT INTO data (sid,cid,data_payload) VALUES(1,83,'9714E1492F71090008090A0B0C0D0E0F101112131415161718191A1 B1C1D1E1F202122232425262728292A2B2C2D2E2F3031323334353637') 22 Query COMMIT 22 Query BEGIN 22 Query SELECT sig_id FROM signature WHERE sig_name = 'ICMP PING' AND sig_rev = 5 AND sig_sid = 384 AND sig_gid = 1 22 Query INSERT INTO event (sid,cid,signature,timestamp) VALUES (1, 84, 1, '2009-04-1118:07:21')22 Query INSERT INTO icmphdr (sid, cid, icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) VALUES (1,84,8,0,45018,44111,3) 22 Query INSERT INTO iphdr (sid, cid, ip_src, ip_dst, ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off, ip_ttl, ip_proto, ip_csum) VALUES (1,84,2886730504,2886730242,4,5,0,84,0,0,0,64,1,56702) 22 Query INSERT INTO data (sid,cid,data_payload) VALUES(1,84,'9714E1492F71090008090A0B0C0D0E0F101112131415161718191A1 B1C1D1E1F202122232425262728292A2B2C2D2E2F3031323334353637') 22 Query COMMIT 22 Query BEGIN 22 Query SELECT sig_id FROM signature WHERE sig_name = 'ICMP PING BSDtype' AND sig_rev = 6AND sig_sid= 368 AND sig_gid = 1 22 Query INSERT INTO event (sid,cid,signature,timestamp) VALUES (1, 85, 1, '2009-04-1118:07:21')22 Query INSERT INTO icmphdr (sid, cid, icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) VALUES (1,85,8,0,45018,44111,3) 22 Query INSERT INTO iphdr (sid, cid, ip_src, ip_dst, ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off, ip_ttl, ip_proto, ip_csum) VALUES (1,85,2886730504,2886730242,4,5,0,84,0,0,0,63,1,56958) 22 Query INSERT INTO data (sid,cid,data_payload) VALUES(1,85,'9714E1492F71090008090A0B0C0D0E0F101112131415161718191A1 B1C1D1E1F202122232425262728292A2B2C2D2E2F3031323334353637') 22 Query COMMIT 22 Query BEGIN 22 Query SELECT sig_id FROM signature WHERE sig_name = 'ICMP PING *NIX' AND sig_rev = 7 ANDsig_sid =366 AND sig_gid = 1 22 Query INSERT INTO event (sid,cid,signature,timestamp) VALUES (1, 86, 1, '2009-04-1118:07:21')22 Query INSERT INTO icmphdr (sid, cid, icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) VALUES (1,86,8,0,45018,44111,3) 22 Query INSERT INTO iphdr (sid, cid, ip_src, ip_dst, ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off, ip_ttl, ip_proto, ip_csum) VALUES (1,86,2886730504,2886730242,4,5,0,84,0,0,0,63,1,56958)-------------------------------------------------------------- ----------------This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users** Virus scanned by City of Columbia MO Email Firewall ** -------------------------------------------------------------- ---------------- This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: v2.8.4 incorrect logging to MySQL, (continued)
- Re: v2.8.4 incorrect logging to MySQL Stephen Reese (Apr 11)
- Re: v2.8.4 incorrect logging to MySQL Danny Paul (Apr 13)
- Re: v2.8.4 incorrect logging to MySQL James Lay (Apr 13)
- Re: v2.8.4 incorrect logging to MySQL Joel Esler (Apr 13)
- Message not available
- Re: v2.8.4 incorrect logging to MySQL Joel Esler (Apr 13)
- Message not available
- Re: v2.8.4 incorrect logging to MySQL Joel Esler (Apr 13)
- Message not available
- Re: v2.8.4 incorrect logging to MySQL Joel Esler (Apr 13)
- Message not available
- Re: v2.8.4 incorrect logging to MySQL Joel Esler (Apr 13)
- Re: v2.8.4 incorrect logging to MySQL Matt Watchinski (Apr 13)
- R: v2.8.4 incorrect logging to MySQL: PATCH snortml (Apr 13)
- Re: R: v2.8.4 incorrect logging to MySQL: PATCH Todd Wease (Apr 13)
- Re: R: v2.8.4 incorrect logging to MySQL: PATCH Stephen Reese (Apr 13)
- Re: R: v2.8.4 incorrect logging to MySQL: PATCH Jason Wallace (Apr 14)
- Re: R: v2.8.4 incorrect logging to MySQL: PATCH Todd Wease (Apr 14)
- Re: R: v2.8.4 incorrect logging to MySQL: PATCH Jason Wallace (Apr 14)
- view alerts in base David Kingsly (Apr 19)
- Re: view alerts in base David Kingsly (Apr 19)
- Re: view alerts in base Lee Clemens (Apr 20)
- Re: view alerts in base David Kingsly (Apr 21)
- Re: view alerts in base Paul Schmehl (Apr 21)
- Re: view alerts in base David Kingsly (Apr 22)