[Snort-devel] FreeBSD system not always retrieving hostname

Carroll Kong damascus at ...243...
Wed Aug 29 00:30:14 EDT 2001


         I ran into this bug when trying to use snort to do remote db logging.

Cannot always reliably get hostname when doing db logging.  Specifically 
using demarc to record the information and noticing that demarc lists the 
logs from hostname "unknown".

FreeBSD 4.3-RELEASE
Snort-1.8.1-RELEASE
Demarc-1.04-02

         I already "patched" it somewhat however I doubt my patch is 
portable.  The issue here is that GetHostname in plugbase.c is depends on 
the HOST environment variable being set by the shell.  Now, seems odd to me 
why it would fail, but it does fail on occasions?!?  This happened under 
zsh, and tcsh, csh?  Anyway, I checked to see how FreeBSD normally gets 
it's hostname, and it does it through a method called gethostname().

         char * error = "unknown";
         char *hostname = malloc(256);
/*    if(getenv("HOSTNAME")) return getenv("HOSTNAME");
     else if(getenv("HOST")) return getenv("HOST");
     else return error;*/
         if(gethostname(hostname, 256))  {
                 return error;
         }  else  {
                 return hostname;
         }

         Not sure if it was bad to do it this way, but I just hacked up a 
small patch.  Did I do something wrong in terms of configuration?  It seems 
like snort will work fine sometimes and other times it will not.  (with the 
hostname).  Now I just hardcode the sensor_name flag to the database 
output.  I did not verify if my patch really works, sorry, spent too much 
time trying to get it to work.

         It might be on Demarc's end?  I almost thought so until I tried 
running the method from plugbase.c from my command line and I got the 
"unknown" hostname which is what keeps on popping up in my demarc with 
mysql database setup.

Thanks for a great product!



-Carroll Kong





More information about the Snort-devel mailing list