[Snort-devel] DB data size limit is a problem

Kreimendahl, Chad J Chad.Kreimendahl at ...1167...
Mon Apr 29 13:37:43 EDT 2002


I know this goes for Oracle for certain, and have not had the chance to test
it on the other DBs... So this statement (AFAIK) only applies to Oracle,
currently.

Snort's database output plugin will not log data greater than 4000 bytes
into the data table.  This problem is caused by one thing only... Oracle
limits the size of a string that can be inserted within a direct insert
statement... As seen here:

INSERT INTO table_name (a,b,large_col) VALUES ($a,$b,$large)
If $large > 4000 bytes.... You get a:  database: oracle_error: ORA-01704:
string literal too long

The only solution to this problem is to use bindings with prepared
statements.  I posted a little about this before, so I'll avoid repeating
it... But I would say for a certainty that this is a very large bug.  Oracle
does not truncate what is inserted (which would still be a problem)... It
seems to me like anyone who wanted to attack something they knew was being
watched by snort using DB output, they'd just have to send packets larger
than 4k...

Yes, you can do that... Even though they get broken apart... Stream4 will
reassemble it into its original size...

Now... The alerts still appear, I've tested it... But we do not see any
data.   Unfortunately, it's not an easy patch to get this form of inserting
to work... So I would propose possibly splitting the duties of each unique
database into its own separate code... And then include that code based on
which DBs are being compiled for.   Having one central control piece of code
to do all of the shared functionality.

Anyway, I'm more than willing to try to take my time to rewrite it all...
But I'd rather have some help since my C is a tad rusty.

Thanks
 CJK




More information about the Snort-devel mailing list