[Snort-devel] unknown for src and dst IP's. Latest from CVS

roman at ...49... roman at ...49...
Tue Jun 19 15:12:56 EDT 2001


> Grabbed the source from CVS yesterday to upgrade SNORT and now I have a 
> problem.  It appears SNORT is putting NULL into mySQL, in the fields;
> ip_src0, ip_src1, ip_src2, ip_src3, ip_dst0, ip_dst1, ip_dst2, ip_dst3

This logging is the expected behavior.  The use of
ip_src0-ip_src3 and ip_dst0-ip_dst3 has been deprecated in
favor of a 32-bit unsigned int representation of the IP
address (see: ip_src, ip_dst).  If you'll notice in the v103
create_mysql script, these fields are no longer present.

> I did this manually since using the create_mysql dies when it finds 
> tables that already exist.

The create_* DB scripts are not meant to be upgrade 
scripts, but to create the initial database.  I
suggest selectively adding only the new tables with care.  
It may be possible that the same tables exist
from version to version, but the fields may change.  This
was the case with the ip_src?; also note that a priority, sid,
and rev fields were added into the signature table.  Likewise,
applications like ACID will read the version number written to
the database and based on this expect a certain DB schema.
These apps can/will get "confused" if told that they have a
certain schema number, but in reality do not.

cheers,
Roman


---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/






More information about the Snort-devel mailing list