[Snort-users] postgres database module oddities...
emf at ...367...
Wed Aug 23 21:08:04 EDT 2000
Okay.. I've got myself stuck. Hopefully someone on this list has done what
i'm trying to do or at least can offer up some ideas.
I'm using snort-1.6.3 and postgres-7.0.2. I have one backend database machine
and several sensors. event insertion into the database works pretty well
except for one glaring problem.. No Packet Body!
So.... what I thought i'd do is run "snort -b" to write to tcpdump output
files (which i want to have lying around on the system *anyway*, as they're
incredibly useful at times, and certainly faster to log to) and then when I
restart (which I do at 0000 GMT currently, and plan to do more often than that)
run snort in readback mode so that it inserts events into the database.
And then I discovered my problem.... When I insert events into the database,
they get timestamped with the *INSERTION TIME*, not the stored time in the
tcpdump binary file. the $LOGDIR/alert file that gets created during readback
contains the correct times, but the times as inserted into the database in
the timestamp field are completely wrong.
A quick check into spo_log_database.c, line 410, shows that for some reason,
sprintf(i0, "INSERT INTO event (sid,cid,signature,timestamp) VALUES ('%i
^^^^^ this is the culprit.
So, somehow, this needs to be modified to get the true timestamp, not the
INSERT event timestamp.
Was there a reason this was done this way that I'm missing?
Security Administrator, ServerVault, Inc.
More information about the Snort-users