[Snort-devel] [ snort-Bugs-552253 ] bad data inserted into sensor table

noreply at ...12... noreply at ...12...
Mon May 6 08:18:04 EDT 2002


Bugs item #552253, was opened at 2002-05-04 14:18
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=552253&group_id=3357

Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Mike Gahagan (mikeg2)
Assigned to: Nobody/Anonymous (nobody)
Summary: bad data inserted into sensor table 

Initial Comment:
Using snort 1.8.6 compiled with Postgresql  
support...   
  
The sensor table appears to be getting bad  
data for the hostname field. Rather than just  
the hostname I am getting hostname:interface  
followed by a bunch of whitespace The  
interface does get filled correctly as do the  
rest of the columns. see example below:  
  
snort=> select * from sensor;  
 sid |            hostname            |        
interface       | filter | detail | encoding  
-----+--------------------------------+-----------------------+--------+--------+----------  
   1 | firefox                        |  
[reading from a file] |        |      1 |         
0  
   2 | 66.57.6.43                     | eth0                   
|        |      1 |        0  
   6 | 24.25.11.9                     | eth0                   
|        |      1 |        0  
   7 | 66.57.225.127                  | eth0                   
|        |      1 |        0  
   8 | 66.57.79.181                   | eth0                   
|        |      1 |        0  
   9 | firefox:[reading from a file]  
 | [reading from a file] |        |      1 |         
0  
(6 rows)  
  
sid#9 was created by this version of snort,  
all the others come from 1.8.3 and are  
properly formatted. 
 
 
 

----------------------------------------------------------------------

>Comment By: Mike Gahagan (mikeg2)
Date: 2002-05-05 22:28

Message:
Logged In: YES 
user_id=203077

I am also seeing this on the output to the 
console when snort starts. It is also showing: 
database: sensor_id=1 
database: hostname:[reading from a file] 
<blank line> 
database: ...etc. 
 
so I think its getting messed up before it gets 
to the db interface (in this case postgresql) 
 
File is <STDIN> snort command line below: 
 
/usr/local/sbin/pdumpq -k - | \  
snort -z all -c /etc/snort/snort.conf.blocked \ 
-der  - 
 
the config file is only slightly modified from 
the default, let me know if you need to see it 
and I will post. 
 

----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=552253&group_id=3357




More information about the Snort-devel mailing list