Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Database logging

From: "Mayers, Philip J" <p.mayers () ic ac uk>
Date: Tue, 7 Aug 2001 18:07:22 +0100
All,

I'm trying to database log into Postgresql, and am having some problems:

1) We're dropping a small (5%) amount of packets, although we are under high
load
2) After an indeterminate period of time, Postgresql (7.1.2) seems to go
belly up and snort dies.

So, what I want to do is either:

1) Log to a pcap/binary file, HUP snort hourly to re-open the files, and
then run a second copy of snort with the same ruleset, *just* logging into
Postgres. However, I do this:

/usr/local/bin/snort -A none -c snort-dblog.conf -r snort-<date>.log

This doesn't work - and if I do -A fast/full, I get the alert file/IP-base
directories, which I don't want. Either way, postgres never seems to get the
logs.

2) Log to the new "unified" format, HUP snort hourly and put the data into
Postgres myself (in the absence of Barnyard) - however, Snort seems to
segfault when that happens:

462 Snort rules read...
462 Option Chains linked into 193 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->activation->dynamic->alert->pass->log

        --== Initialization Complete ==--

-*> Snort! <*-
Version 1.8.1-beta5 (Build 56)
By Martin Roesch (roesch () sourcefire com, www.snort.org)

Restarting...
Segmentation fault (core dumped)
<snip>
(gdb) bt
#0  0x401d4d32 in __libc_free (mem=0x80b0a28) at malloc.c:3043
#1  0x0804d155 in CleanExit (sig=1) at snort.c:1937
#2  <signal handler called>
#3  CheckDstPortEqual (p=0x80f21f8, rtn_idx=0xbffff020, fp_list=0xbfffefd8)
at rules.c:4617
#4  0x080565c0 in EvalPacket (List=0x80a00f8, mode=2, p=0xbffff020) at
rules.c:3673
#5  0x0805643c in Detect (p=0xbffff020) at rules.c:3565
#6  0x08056273 in Preprocess (p=0xbffff020) at rules.c:3433
#7  0x0804b7cf in ProcessPacket (user=0x0, pkthdr=0xbffff510, pkt=0x40533682
"") at snort.c:512
#8  0x080781f6 in packet_ring_recv () at eval.c:41
#9  0x0807851f in pcap_read () at eval.c:41
#10 0x080791cf in pcap_loop () at eval.c:41
#11 0x0804cb80 in InterfaceThread (arg=0x0) at snort.c:1441
#12 0x0804b69f in main (argc=9, argv=0xbffff76c) at snort.c:445
#13 0x40171177 in __libc_start_main (main=0x804b040 <main>, argc=9,
ubp_av=0xbffff76c, init=0x804a498 <_init>,
    fini=0x8082bc0 <_fini>, rtld_fini=0x4000e184 <_dl_fini>,
stack_end=0xbffff75c) at ../sysdeps/generic/libc-start.c:129
(gdb)

The differences between the two config files:

210,211c210,211
< output alert_unified: snort.alert
< output log_unified: snort.log
---

# output alert_unified: snort.alert
# output log_unified: snort.log


...Hupping works fine without these differences.



I assume the eventual intention is to do away with output plugins entirely,
and have them all as client programs of the barnyard format - any ideas for
a timescale? It's just *too* useful having the results in the database...

Regards, 
Phil 

+----------------------------------+ 
| Phil Mayers, Network Support     | 
| Centre for Computing Services    | 
| Imperial College                 | 
+----------------------------------+ 

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: