[Snort-devel] unknown for src and dst IP's. Latest from CVS
kev at ...52...
Tue Jun 19 15:43:03 EDT 2001
Thanks for the reply Roman. I guess I'm getting "unknown" as the address
since I'm using an older version of ACID (v0.9.6b9) and it's still looking
to ip_src* to display the IP information. I was putting off upgrading ACID
due to the fact that it requires me to compile php with bcmath. Up until
now I've been using rpm's and I really didn't want to get into compiling
source. Do you have any idea where I might find a php-bcmath
module. rpmfind only has one intended for Polish(ed) Linux Distribution
and the RedHat site has nothing. What is the bcmath used for in
ACID? Would it be possible to have it as an option to be turned off in the
At 03:12 PM 6/19/01 +0000, roman at ...49... wrote:
> > Grabbed the source from CVS yesterday to upgrade SNORT and now I have a
> > problem. It appears SNORT is putting NULL into mySQL, in the fields;
> > ip_src0, ip_src1, ip_src2, ip_src3, ip_dst0, ip_dst1, ip_dst2, ip_dst3
>This logging is the expected behavior. The use of
>ip_src0-ip_src3 and ip_dst0-ip_dst3 has been deprecated in
>favor of a 32-bit unsigned int representation of the IP
>address (see: ip_src, ip_dst). If you'll notice in the v103
>create_mysql script, these fields are no longer present.
> > I did this manually since using the create_mysql dies when it finds
> > tables that already exist.
>The create_* DB scripts are not meant to be upgrade
>scripts, but to create the initial database. I
>suggest selectively adding only the new tables with care.
>It may be possible that the same tables exist
>from version to version, but the fields may change. This
>was the case with the ip_src?; also note that a priority, sid,
>and rev fields were added into the signature table. Likewise,
>applications like ACID will read the version number written to
>the database and based on this expect a certain DB schema.
>These apps can/will get "confused" if told that they have a
>certain schema number, but in reality do not.
>This message was sent using Voicenet WebMail.
More information about the Snort-devel