[Snort-devel] Oracle-support for Snort (patch)

Thomas Stenhaug tst at ...139...
Wed Dec 6 06:20:56 EST 2000


This patch gives Snort 1.7-beta7 the ability to log to
Oracle-databases when linked to the Oracle 8.6.3R2 OCI-libraries.  I
have no idea what other versions of Oracle it will work with, if any.

Since this is the first time I've worked with the Oracle Call
Interface and snort it's likely to contain a few oopses.

The configure.in-code is a bit naive at this time.  It looks at the
list of directories, and checks if OCI.H resides in any of them.  If
it does it assumes everything is ok, while it should check for the
other two needed header-files and and libclntsh and libwtc8 as well.

In the create-script, all integer fields are of INT type.  There is
also a sequence and a trigger there for the SENSOR.SID to
autoincrement.  So far I have failed to make Oracle accept Snort's
EVENT.TIMESTAMP so for now that field is a string.  Constraints are
otherwise the same as for the mysql schema.

The spo_database.h had a duplicate

    #define POSTGRESQL   "postgresql"

so I replaced that one with the Oracle-definition.  The extension to
the DatabaseData-structure is this:

#ifdef ENABLE_ORACLE
  OCIEnv    *o_environment;
  OCISvcCtx *o_servicecontext;
  OCIError  *o_error;
  OCIStmt   *o_statement;
  OCIDefine *o_define;
  text o_errormsg[512];
  sb4 o_errorcode;
#endif

I'm not sure how well those names comply with the way other names are
chosen.

Oracle needs a different escaping than the other databases, so the
snort_escape_string has been changed to accept a DatabaseData-struct
to be able to determine how to escape the string.

  snort_escape_string(char * from, DatabaseData * data)

Some of the queries ended with a semicolon and some did not.  OCI says
it's an illegal character, so I removed the semicolon from those that
did.

I have tried to understand and apply the existing coding-conventions.

So, to build with Oracle-support you have to apply the patch, run
autoconf, make sure the OCI header-files and libraries are installed
and $ORACLE_HOME is pointing to the right place.  (Or point to it with
--with-oracle=...)  

Then add something like this to the appropriate rules-file:

  output database: log, oracle, user=snort password=secret dbname=my.shining.database encoding=ascii detail=full


-------------- next part --------------
A non-text attachment was scrubbed...
Name: oracle-patch-20001206.gz
Type: application/octet-stream
Size: 4467 bytes
Desc: Oracle 8.1.6R2-support for Snort 1.7-beta7
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20001206/d5fc0043/attachment.obj>
-------------- next part --------------


-- 
Thomas


More information about the Snort-devel mailing list