[Snort-users] postgres database module oddities...

Jed Pickel jed at ...153...
Wed Aug 23 23:51:57 EDT 2000


> I'm using snort-1.6.3 and postgres-7.0.2.  I have one backend
> database machine and several sensors.  event insertion into the
> database works pretty well except for one glaring problem..  No
> Packet Body!

This issue is addressed in the latest development version. I actually
committed that code to CVS earlier today. How is that for timing. ;) In
addition to payload the plugin now supports logging:

  * all tcp, udp, and icmp fields
  * all tcp and ip options
  * payload in either base64 or ascii

There are a number of other improvements to the code and database
structure to make things more logical, user friendly, and readable.

Those of you that have applications based on the snort database keep
an eye out for another message from me (on the snort-devel list) about
how to port your apps to the updated format - and for the direction I
see the snort database going in the coming months.

Anyway, if you want to log the payload, snag the latest code from CVS
it should work. See instructions on www.snort.org for instructions on
how to get the latest stuff out of CVS. 

You will need to rebuild your database with the latest
create_postgresql script (note that my tests have found that mysql is
much more efficient for this application). You will also need to be
sure and supply the "-d" option on the command line. Alone that will
cause the payload to be logged in base64. If you supply the -C option
it will log only ascii data in the payload (sorta like a strings but
each non ascii character is replaced by a ".").

> And then I discovered my problem....  When I insert events into the
> database, they get timestamped with the *INSERTION TIME*, not the
> stored time in the tcpdump binary file.  the $LOGDIR/alert file that
> gets created during readback contains the correct times, but the
> times as inserted into the database in the timestamp field are
> completely wrong.

I just fixed this problem about 10 minutes ago. Thanks for pointing
that out! I did a quick check and things seem to be working as you
would expect now. 

> Was there a reason this was done this way that I'm missing? 

Nope... :) Incidently, if you run into any other bugs please point them
out and I will fix them.

Thanks,

* Jed



More information about the Snort-users mailing list