[Snort-devel] Silly snort 2.4.3 annoyance - missing DB name

Eric Lauzon eric.lauzon at ...1967...
Tue Jan 24 07:21:04 EST 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 
I dont know about your setup but from experience , i would tell you to 
stay away from spo_database.c , as logging to a DBMS is a blocking call
and as a drawback if your database has some performance issue or if your
monitored network interface receive a burst of packets you might have some
drops, even with buffered lib pcap this issue may happen.

- -elz



> -----Original Message-----
> From: snort-devel-admin at lists.sourceforge.net 
> [mailto:snort-devel-admin at lists.sourceforge.net] On Behalf Of 
> Martin Olsson
> Sent: 24 janvier 2006 09:21
> To: Dirk Geschke
> Cc: bugs at ...835...; snort-devel mailinglist
> Subject: Re: [Snort-devel] Silly snort 2.4.3 annoyance - 
> missing DB name
> 
> 
> On Tue, 24 Jan 2006, Dirk Geschke wrote:
> > > database output plugin:
> > > output database: log, mysql, user=foo password=foo dbname=bar 
> > > host=1.1.1.1 sensor_name=gazonk
> > >
> > > When the self test is exiting the following is printed:
> > [...]
> > > database: Closing connection to database ""     <-----------------
> > > Snort exiting
> > >
> > > Shouldn't it print 'Closing connection to database "bar"' 
> or something?
> >
> > no, this is not really a bug but a misinformation. The test 
> mode ends 
> > before the output plugins are activated. So there was not a 
> connection 
> > to the database at all.
> 
> Oh, yes there must be a database connection in testmode:
> 
> database: compiled support for ( mysql )
> database: configured to use mysql
> database:          user = foo
> database: password is set
> database: database name = bar
> database:          host = 1.1.1.1
> database:   sensor name = gazonk
> database:     sensor id = 2             <--------
> database: schema version = 106
> database: using the "log" facility
> 
> If no connection is made, where does the sensor id come from?
> 
> 
> > But if you are trying to check the syntax of your config file on a 
> > central machine before installing it on remote sensors this 
> could lead 
> > to strange results. Think of one snort process which is already 
> > connected to the database whith this sensor name.
> 
> No, I'm running the test on the sensor itself. :-)
> 
> /Martin
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep 
> through log files for problems?  Stop!  Download the new AJAX 
> search engine that makes searching your log files as easy as 
> surfing the  web.  DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&
dat=121642
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.4 (Build 4042)

iQA/AwUBQ9ZFw6Ipv/xAG6RUEQJUuACgkX+0y8U/6rUMKXjZXEGmrO6+vxEAoNeV
aE3Qvd1/RE8qd/i22Wtkc24J
=pD2U
-----END PGP SIGNATURE-----



More information about the Snort-devel mailing list