[Snort-devel] Postgres output bug

David Bizeul david.bizeul at ...2805...
Fri Aug 26 15:54:08 EDT 2005


Hi all,

I've been using Snort in a large environment with Postgres database 
output. We've encountered 2 mistakes with this environment coming from 
spo_database.c:

1 - When snorters  are looking for a reference before inserting a new 
signature into database, if several  tuples are returned, then we exit 
the procedure. We found it to be an error, since it's possible (when 
several sensors are in placed closely) to have several same references 
inserted at the same time (ie : 2 new references for two snorters ahead 
and behind a firewall). I join a small patch to correct it. May be it 
needs to be reviewed to best match Snort style coding .

2 - To prevent several snorters inserting references at the same time 
(before the 1st postgres commit), we need to place a delay before 
leaving snort believing is the first one to insert a new reference. I 
made a patch for that, but it's based on our specific sensor_name, so i 
prefer not to place it there. May be a kind of modulus based on the 
sensor_name should give good results.


I hope this post will be helpful

David


--- spo_database.c    2005-07-11 15:44:54.000000000 +0200
+++ spo_database_patched.c    2005-08-26 11:16:36.000000000 +0200
@@ -53,6 +53,7 @@
 #include <sys/types.h>
 #include <stdlib.h>
 #include <string.h>
+#include <unistd.h>
 
 #include "event.h"
 #include "decode.h"
@@ -2262,16 +2263,15 @@
         {
             if(PQntuples(data->p_result))
             {
+                +               /* Whatever the result is, we return 
the real value and not 0 if it's >1 */
+                                +               /* If return=0 when 
result>1 it inserts many alerts references tuples in DB */
+                                +
                 if((PQntuples(data->p_result)) > 1)
                 {
                     ErrorMessage("database: warning (%s) returned more 
than one result\n",
                                  query);
-                    result = 0;
                 }
-                else
-                {
-                    result = atoi(PQgetvalue(data->p_result,0,0));
-                }
+                result = atoi(PQgetvalue(data->p_result,0,0));
             }
         }
         if(!result)
@@ -2281,6 +2281,13 @@
                 ErrorMessage("database: postgresql_error: %s\n",
                              PQerrorMessage(data->p_connection));
             }
+            
+            /* In case no result is received, we should insert a delay 
(may be) depending on hostname to prevent */
+            /* two snorters or more to insert simultaneously in 
database. This should happens when two snorters placed */
+            /* ahead and behind a firewall.  */
+            
+          
+            
         }
         PQclear(data->p_result);
     }





More information about the Snort-devel mailing list