[Snort-users] postgres database module oddities...

Erik Fichtner emf at ...367...
Wed Aug 23 21:08:04 EDT 2000


Okay.. I've got myself stuck.  Hopefully someone on this list has done what
i'm trying to do or at least can offer up some ideas.

I'm using snort-1.6.3 and postgres-7.0.2.   I have one backend database machine
and several sensors.   event insertion into the database works pretty well
except for one glaring problem..  No Packet Body!

So....  what I thought i'd do is run "snort -b" to write to tcpdump output
files (which i want to have lying around on the system *anyway*, as they're 
incredibly useful at times, and certainly faster to log to) and then when I 
restart (which I do at 0000 GMT currently, and plan to do more often than that)
run snort in readback mode so that it inserts events into the database.  

And then I discovered my problem....  When I insert events into the database, 
they get timestamped with the *INSERTION TIME*, not the stored time in the
tcpdump binary file.  the $LOGDIR/alert file that gets created during readback
contains the correct times, but the times as inserted into the database in
the timestamp field are completely wrong.   

A quick check into spo_log_database.c, line 410, shows that for some reason,
it's doing:
        sprintf(i0, "INSERT INTO event (sid,cid,signature,timestamp) VALUES ('%i
','%i','%s',now());",sid,cid,msg);
            ^^^^^ this is the culprit.

So, somehow, this needs to be modified to get the true timestamp, not the 
INSERT event timestamp.   

Was there a reason this was done this way that I'm missing? 

Thanks!

-- 
Erik Fichtner
Security Administrator, ServerVault, Inc.



More information about the Snort-users mailing list