[Snort-devel] Bug: mysql logging not recording event timestamps properly

Axton axton.grams at ...2499...
Sun Jan 8 10:43:01 EST 2006


System Architecture:

*** Sensor Machine:
 - Architecture: sparc64 (ultrasparc IIe 500mhz)
 - OS: OpenBSD 3.8 GENERIC#607 sparc64
 - Snort: Version 2.4.3 (Build 26)
 - Preprocessors: Default with snapshot from 2005-12-30
 - Rules: Default with snapshot from 2005-12-30
 - Output plugins: mysql
 - CL Switches: -D -d -c /etc/snort/rules/snort_ext.conf -u snort -g
snort -i hme0
 - Snort Err Msg: n/a
 - Configure flags when compiling: --with-mysql --prefix=/usr/local
--build=sparc64
 - mysql client: mysql  Ver 12.22 Distrib 4.0.24, for
unknown-openbsd3.8 (sparc64)
	
*** Database Machines tested (#1)
 - Architecture: i686 (P4 1.6ghz)
 - OS: Linux 2.6.14-1.1653_FC4 #1 Tue Dec 13 21:32:09 EST 2005 i686
i686 i386 GNU/Linux
 - mysql client: Ver 12.22 Distrib 4.0.24, for unknown-openbsd3.8 (sparc64)
 - mysql db: 4.1.16

*** Database Machines tested (#2)
 - Architecture: i386
 - OS: FreeBSD 4.10-RELEASE #6: Fri May 27 16:25:57 MDT 2005
 - mysql client: Ver 14.7 Distrib 4.1.15, for portbld-freebsd4.10
(i386) using readline 5.0
 - mysql db: 4.1.15

Problem description:
 - Snort is logging entries into mysql with the event timestamp as
0000-00-00 00:00:00
 - mysql table/column info:
   - Table: event
   - Column: timestamp
 - mysql schema version: 106

Discovery method:
 - Viewing events in BASE

Root Cause:
 - mySql only supports storing date/time information to the precision
of 1 second. Snort is attempting to send the time to the precision of
1/1000000000 second. When a value is inserted where the precision is
greater than 1/100000 second, the column is set to the default (which
in this case is 0000-00-00 00:00:00), although the sql insert
succeeds.
 - This was discovered using tcpdump to capture the sql insert
statement then attempting to run the statement manually.  The results
are reproduceable.

Resolution:
 - This problem can be resolved using the following diff for spo_database.c:

--- BEGIN DIFF ---

# diff -u spo_database.c.orig spo_database.c
--- spo_database.c.orig Sun Jan  8 13:16:00 2006
+++ spo_database.c      Sun Jan  8 13:19:31 2006
@@ -1005,6 +1005,24 @@
         }
     }
 #endif
+
+#ifdef ENABLE_MYSQL
+    if (data->shared->dbtype_id == DB_MYSQL)
+    {
+        /* mysql does not support date information smaller
+         * than 1 second. To go along with the TO_DATE()
+         * This was written to strip out all the excess
+         * information. (everything beyond a second)
+         * Use the mysql format of:
+         *   "2005-12-23 22:37:16"
+         */
+        if ( timestamp_string!=NULL && strlen(timestamp_string)>20 )
+        {
+            timestamp_string[19] = '\0';
+        }
+    }
+#endif
+
 #ifdef ENABLE_ODBC
     if (data->shared->dbtype_id == DB_ODBC)
     {

--- END DIFF ---

Axton Grams




More information about the Snort-devel mailing list