[Snort-devel] [ snort-Bugs-501387 ] cannot log to multiple oracle databases

noreply at ...12... noreply at ...12...
Tue Mar 26 23:51:12 EST 2002


Bugs item #501387, was opened at 2002-01-09 10:58
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=501387&group_id=3357

Category: None
Group: None
>Status: Closed
Resolution: Fixed
Priority: 1
Submitted By: Chad Kreimendahl (sallgeud)
Assigned to: Nobody/Anonymous (nobody)
Summary: cannot log to multiple oracle databases

Initial Comment:

In the documentation it states that you can log to 
multiple databases.  Our tests show that we can 
connect to multiple instances of mysql but to only one 
oracle.

here's an example of our config:

output database: log, oracle, user=snortids 
dbname=ids00 password=password host=10.10.10.11 
sensor_name=idsse01
output database: log, oracle, user=snortids 
dbname=ids01 password=password host=10.10.10.12 
sensor_name=idsse01

With the above config, only the first one is logged 
to.  We tested to make sure the second sensor was 
alive by commenting out the first line and HUPping.

----------------------------------------------------------------------

>Comment By: Chad Kreimendahl (sallgeud)
Date: 2002-03-25 11:54

Message:
Logged In: YES 
user_id=29059

problem appears resolved in recent builds

----------------------------------------------------------------------

Comment By: Chad Kreimendahl (sallgeud)
Date: 2002-01-10 12:28

Message:
Logged In: YES 
user_id=29059

I've recently discovered that I can, infact, log to 
multiple databases... but found the problem (or bug) 
relating to why it wasn't working in our first dozen 
attempts.

If we manually enter a record into the sensor table:
 13, sensor_name, qfe0, NULL, 1, 0
and snort matches that sensor name (as if it were going to 
use that sid, since it appears to be its id).. we get an 
oracle null value (not null column) error and it does not 
log to the database.

However, if we allow snort to create its own SID, stop 
snort, change the number to match our central DB and start 
snort again, it works just fine.

----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=501387&group_id=3357




More information about the Snort-devel mailing list