[Snort-devel] Silly snort 2.4.3 annoyance - missing DB name

Dirk Geschke dirk at ...972...
Tue Jan 24 08:48:59 EST 2006


Hi Martin,

> > [...]
> > > database: Closing connection to database ""     <-----------------
> database:   sensor name = gazonk

[...]
> database:     sensor id = 2             <--------
> database: schema version = 106
> database: using the "log" facility
> 
> If no connection is made, where does the sensor id come from?

yes I missed it, the initialization of the output plugins was
much earlier than the other ones.

But the database code is correct, the missing database name
is much uglier then it seems...

If I run it in test mode I get similar results:

database: Closing connection to database " using an unusual port,2"

This string results from classification.config and should not
be part of the database data.

I verified the pointers, they are on exit the same as they were
initialized. So I think that there is somewhere else a big problem
where a function writes it's data to an aread which does not 
belong to...

> > But if you are trying to check the syntax of your config
> > file on a central machine before installing it on remote sensors
> > this could lead to strange results. Think of one snort process
> > which is already connected to the database whith this sensor
> > name.
> 
> No, I'm running the test on the sensor itself. :-)

Yes, but if you have a new configuration and wants first
to test it before you stop the running snort process and
replace the configuration?

If you fist has to stop the old snort process and then has
to fiddle around to find a working config file you are blind
to attacks during this time...

(BTW: I would not use the database output plugin, use something
which is decoupled. If the database hungs or gets restarted you
will run into big problems...)

Best regards

Dirk




More information about the Snort-devel mailing list