[Snort-devel] Re: Bug: mysql logging not recording event timestamps properly

Marc Norton mnorton at ...402...
Mon Jan 9 06:36:16 EST 2006


Thanks,

We'll take a look at, and get back to you.

Axton wrote:

>System Architecture:
>
>*** Sensor Machine:
> - Architecture: sparc64 (ultrasparc IIe 500mhz)
> - OS: OpenBSD 3.8 GENERIC#607 sparc64
> - Snort: Version 2.4.3 (Build 26)
> - Preprocessors: Default with snapshot from 2005-12-30
> - Rules: Default with snapshot from 2005-12-30
> - Output plugins: mysql
> - CL Switches: -D -d -c /etc/snort/rules/snort_ext.conf -u snort -g
>snort -i hme0
> - Snort Err Msg: n/a
> - Configure flags when compiling: --with-mysql --prefix=/usr/local
>--build=sparc64
> - mysql client: mysql  Ver 12.22 Distrib 4.0.24, for
>unknown-openbsd3.8 (sparc64)
>	
>*** Database Machines tested (#1)
> - Architecture: i686 (P4 1.6ghz)
> - OS: Linux 2.6.14-1.1653_FC4 #1 Tue Dec 13 21:32:09 EST 2005 i686
>i686 i386 GNU/Linux
> - mysql client: Ver 12.22 Distrib 4.0.24, for unknown-openbsd3.8 (sparc64)
> - mysql db: 4.1.16
>
>*** Database Machines tested (#2)
> - Architecture: i386
> - OS: FreeBSD 4.10-RELEASE #6: Fri May 27 16:25:57 MDT 2005
> - mysql client: Ver 14.7 Distrib 4.1.15, for portbld-freebsd4.10
>(i386) using readline 5.0
> - mysql db: 4.1.15
>
>Problem description:
> - Snort is logging entries into mysql with the event timestamp as
>0000-00-00 00:00:00
> - mysql table/column info:
>   - Table: event
>   - Column: timestamp
> - mysql schema version: 106
>
>Discovery method:
> - Viewing events in BASE
>
>Root Cause:
> - mySql only supports storing date/time information to the precision
>of 1 second. Snort is attempting to send the time to the precision of
>1/1000000000 second. When a value is inserted where the precision is
>greater than 1/100000 second, the column is set to the default (which
>in this case is 0000-00-00 00:00:00), although the sql insert
>succeeds.
> - This was discovered using tcpdump to capture the sql insert
>statement then attempting to run the statement manually.  The results
>are reproduceable.
>
>Resolution:
> - This problem can be resolved using the following diff for spo_database.c:
>
>--- BEGIN DIFF ---
>
># diff -u spo_database.c.orig spo_database.c
>--- spo_database.c.orig Sun Jan  8 13:16:00 2006
>+++ spo_database.c      Sun Jan  8 13:19:31 2006
>@@ -1005,6 +1005,24 @@
>         }
>     }
> #endif
>+
>+#ifdef ENABLE_MYSQL
>+    if (data->shared->dbtype_id == DB_MYSQL)
>+    {
>+        /* mysql does not support date information smaller
>+         * than 1 second. To go along with the TO_DATE()
>+         * This was written to strip out all the excess
>+         * information. (everything beyond a second)
>+         * Use the mysql format of:
>+         *   "2005-12-23 22:37:16"
>+         */
>+        if ( timestamp_string!=NULL && strlen(timestamp_string)>20 )
>+        {
>+            timestamp_string[19] = '\0';
>+        }
>+    }
>+#endif
>+
> #ifdef ENABLE_ODBC
>     if (data->shared->dbtype_id == DB_ODBC)
>     {
>
>--- END DIFF ---
>
>Axton Grams
>
>  
>


-- 
Marc Norton      Snort Team Lead
Sourcefire,Inc   410-423-1924
www.snort.org    www.sourcefire.com 





More information about the Snort-devel mailing list