[Snort-devel] Silly snort 2.4.3 annoyance - missing DB name

Dirk Geschke dirk at ...972...
Tue Jan 24 06:14:03 EST 2006


Hi Martin,

> database output plugin:
> output database: log, mysql, user=foo password=foo dbname=bar host=1.1.1.1 sensor_name=gazonk
> 
> When the self test is exiting the following is printed:
[...]
> database: Closing connection to database ""     <-----------------
> Snort exiting
> 
> 
> Shouldn't it print 'Closing connection to database "bar"' or something?

no, this is not really a bug but a misinformation. The test mode ends
before the output plugins are activated. So there was not a connection
to the database at all.

But if the test mode ends ist calls:

    if(pv.test_mode_flag)
    {
        LogMessage("\nSnort sucessfully loaded all rules and checked all
rule "
                "chains!\n");
        CleanExit(0);
    }

So it tries to do a CleanExit, this routine calls the registered but
not activated exit routine from the database output plugin.

Since the activate routine will copy the sensor name:

        if(!strncasecmp(dbarg,KEYWORD_DBNAME,strlen(KEYWORD_DBNAME)))
        {
            data->shared->dbname = a1;
            if( !pv.quiet_flag ) printf("database: database name =
%s\n", data-> shared->dbname);

this will never be set so it could be used in the Disconnect()
function.

But maybe one should change the test mode to also check the output
plugins... (But if you are trying to check the syntax of your config
file on a central machine before installing it on remote sensors 
this could lead to strange results. Think of one snort process 
which is already connected to the database whith this sensor
name.)

Best regards

Dirk




More information about the Snort-devel mailing list