Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: logging to MySql....stumped

From: "Scott Renna" <srenna () d-a-s com>
Date: Tue, 22 Jul 2003 08:31:44 -0400
Would I have better luck dumping it to a PostgreSQL database?   I've
noticed in Barnyard's output when it doesn't have anything it's picking
up, entries are just shown as time 00:00:00.  I forget the date that it
defaults to but it's definitely not the current one.

I'm going to try this patch out and let you know on the results.

Scott

***************************
Scott Renna
Head Systems Administrator
Dynamic Animation Systems
703-503-0500

*************************** 

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Chris
Keladis
Sent: Tuesday, July 22, 2003 7:53 AM
To: Scott Renna
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] logging to MySql....stumped


Scott Renna wrote:

Hi Scott,


Now that I've gotten some help in editing configure.in in Barnyard to 
work with MySQLServer 4.0....it's up and running and seems to be doing



its job.  It's no longer producing any errors however, it doesn't look



like it's actually logging to ACID.  I've run a few port scans and 
snort is picking up the scans and creating alert and log files.  ACID 
is not displaying the result however.


I've submitted this information to Andrew and Marty, so hopefully it 
will be corrected in future releases.

Anyway, i had the same problem, and after closer examination i found 
that "zero" dates/times were being inserted into the database.

This happens (from what i've gathered) because the date/time string that

  barnyard inserts, isn't compatible with MySQLs 'DATETIME' datatype, 
resulting in an error, and MySQL ends up inserting 'null' date strings 
(which is why - i think - you dont see anything in acid, as all the 
events occurred on 00-00-0000 at 00:00!) ;)


The following trivial patch should get it going (hopefully it's not 
line-wrapped beyond recognition):


--- barnyard-0.1.0/src/util.c.orig      2003-07-20 10:46:43.000000000
+1000
+++ barnyard-0.1.0/src/util.c   2003-07-20 10:46:51.000000000 +1000
@@ -508,7 +508,7 @@
      if(pv.localtime)
      {
          lt = localtime(&timet);
-        return strftime(timebuf, len, "%Y-%m-%d %H:%M:%S %z", lt);
+        return strftime(timebuf, len, "%Y-%m-%d %H:%M:%S%z", lt);
      }

      lt = gmtime(&timet);





YMMV,

Chris.



-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: