RE: [SPAM] - Random DB names! - Email found in subject

["Marc Hering" <mhering () reval com>]

Sounds like you have some disk corruption there...
 
Just my $0.02 :)

________________________________

From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of
Paul.Clements () saga co uk
Sent: Monday, March 21, 2005 11:11 AM
To: snort-users () lists sourceforge net
Subject: [SPAM] - [Snort-users] Random DB names! - Email found in
subject



Hello all, 

I've been using snort happily for the last 3 years or so but now I've
run in to a strange problem. 

Due to a comedy intergen gas release and power down in our Data Centre
all 6 of our snort probes and the Management server where stopped
abruptly. 

When I restarted the probes everything seems to be working as normal
until we noticed we weren't receiving the volume of alerts that we are
used too. 

On closer inspection (using the -v and -T switches) we noticed that the
database that some of the probes where logging to had changed from what
had configured them to use from :- 

database: compiled support for ( mysql ) 
database: configured to use mysql 
database:          user = s^ort0n3 
database: password is set 
database: database name = snort 
database:          host = XXX.XXX.XXX.XXX 
database:   sensor name = XXXXX.saga.co.uk:eth1 
database:     sensor id = 1 
database: schema version = 106 
database: using the "log" facility 

to 

 find_sucess: 0 find_fail: 3 percent_success: (%0.000000) new_flows: 3 
database: Closing connection to database "etected" 

As you can see when I exit the probe it's reporting that its closing the
connection to "etected" (on other probes the database has changed to
other name et "ersion") and not "snort" as it's clearly set to log to in
the snort.conf!?!?!? if it's trying to connect to the wrong DB why
doesn't it refuse to start with a connection error??!? 

I've tried the following :- 

Restoring the snort.conf with a backup and a fresh copy - with no joy. 
Dropping the annval and snort databases and recreating it -with no joy. 
Reinstalling snort using the latest version - now interestedly this
seems to work for a while then the same problem reoccurs! 

We're running  :- 

Probes :  Fedora 3, Mandrake and snort 2.3.1 
Management Server : Fedora 3, apache, mysql, aanval and base. 

Has anyone else had this problem? 

Kind Regards 

Paul 
  
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
system manager at postmaster.saga.co.uk. This footnote also confirms
that this email message has been swept by Trend for the presence of
computer viruses. www.saga.co.uk
**********************************************************************