[Snort-devel] Silly snort 2.4.3 annoyance - missing DB name
eric.lauzon at ...1967...
Tue Jan 24 07:21:04 EST 2006
-----BEGIN PGP SIGNED MESSAGE-----
I dont know about your setup but from experience , i would tell you to
stay away from spo_database.c , as logging to a DBMS is a blocking call
and as a drawback if your database has some performance issue or if your
monitored network interface receive a burst of packets you might have some
drops, even with buffered lib pcap this issue may happen.
> -----Original Message-----
> From: snort-devel-admin at lists.sourceforge.net
> [mailto:snort-devel-admin at lists.sourceforge.net] On Behalf Of
> Martin Olsson
> Sent: 24 janvier 2006 09:21
> To: Dirk Geschke
> Cc: bugs at ...835...; snort-devel mailinglist
> Subject: Re: [Snort-devel] Silly snort 2.4.3 annoyance -
> missing DB name
> On Tue, 24 Jan 2006, Dirk Geschke wrote:
> > > database output plugin:
> > > output database: log, mysql, user=foo password=foo dbname=bar
> > > host=184.108.40.206 sensor_name=gazonk
> > >
> > > When the self test is exiting the following is printed:
> > [...]
> > > database: Closing connection to database "" <-----------------
> > > Snort exiting
> > >
> > > Shouldn't it print 'Closing connection to database "bar"'
> or something?
> > no, this is not really a bug but a misinformation. The test
> mode ends
> > before the output plugins are activated. So there was not a
> > to the database at all.
> Oh, yes there must be a database connection in testmode:
> database: compiled support for ( mysql )
> database: configured to use mysql
> database: user = foo
> database: password is set
> database: database name = bar
> database: host = 220.127.116.11
> database: sensor name = gazonk
> database: sensor id = 2 <--------
> database: schema version = 106
> database: using the "log" facility
> If no connection is made, where does the sensor id come from?
> > But if you are trying to check the syntax of your config file on a
> > central machine before installing it on remote sensors this
> could lead
> > to strange results. Think of one snort process which is already
> > connected to the database whith this sensor name.
> No, I'm running the test on the sensor itself. :-)
> This SF.net email is sponsored by: Splunk Inc. Do you grep
> through log files for problems? Stop! Download the new AJAX
> search engine that makes searching your log files as easy as
> surfing the web. DOWNLOAD SPLUNK!
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.4 (Build 4042)
-----END PGP SIGNATURE-----
More information about the Snort-devel