[Snort-devel] unknown for src and dst IP's. Latest from CVS

Kevin Pietersma kev at ...52...
Tue Jun 19 15:43:03 EDT 2001


Thanks for the reply Roman.  I guess I'm getting "unknown" as the address 
since I'm using an older version of ACID (v0.9.6b9) and it's still looking 
to ip_src* to display the IP information.  I was putting off upgrading ACID 
due to the fact that it requires me to compile php with bcmath.  Up until 
now I've been using rpm's and I really didn't want to get into compiling 
source.  Do you have any idea where I might find a php-bcmath 
module.  rpmfind only has one intended for Polish(ed) Linux Distribution 
and the RedHat site has nothing.  What is the bcmath used for in 
ACID?  Would it be possible to have it as an option to be turned off in the 
acid_conf.php file?

kev

At 03:12 PM 6/19/01 +0000, roman at ...49... wrote:
> > Grabbed the source from CVS yesterday to upgrade SNORT and now I have a
> > problem.  It appears SNORT is putting NULL into mySQL, in the fields;
> > ip_src0, ip_src1, ip_src2, ip_src3, ip_dst0, ip_dst1, ip_dst2, ip_dst3
>
>This logging is the expected behavior.  The use of
>ip_src0-ip_src3 and ip_dst0-ip_dst3 has been deprecated in
>favor of a 32-bit unsigned int representation of the IP
>address (see: ip_src, ip_dst).  If you'll notice in the v103
>create_mysql script, these fields are no longer present.
>
> > I did this manually since using the create_mysql dies when it finds
> > tables that already exist.
>
>The create_* DB scripts are not meant to be upgrade
>scripts, but to create the initial database.  I
>suggest selectively adding only the new tables with care.
>It may be possible that the same tables exist
>from version to version, but the fields may change.  This
>was the case with the ip_src?; also note that a priority, sid,
>and rev fields were added into the signature table.  Likewise,
>applications like ACID will read the version number written to
>the database and based on this expect a certain DB schema.
>These apps can/will get "confused" if told that they have a
>certain schema number, but in reality do not.
>
>cheers,
>Roman
>
>
>---------------------------------------------
>This message was sent using Voicenet WebMail.
>       http://www.voicenet.com/webmail/





More information about the Snort-devel mailing list