[Snort-users] Mysql errors [plus possible fix?]

Jed Pickel jed at ...153...
Mon Nov 6 00:39:10 EST 2000

> On Sun, Nov 05, 2000 at 09:33:14PM -0500, Jed Pickel wrote:
> > Interesting. Can you reproduce this error? Has anyone else ever seen
> > this one? The only cause I can think of is a fatal error (perhaps
> Well it's happening right now :-)
> My snort and mysqld daemons aren't restarting/crashing or the like, and what
> I'm seeing is the same alert happening several times in one second.

Does your snort process have SELECT privs? If not that could be the

> I would have thought LAST_INSERT_ID() would have taken care of that - those
> counters are all thread-based so each thread should be independent of the
> others, right?

It works on a per connection basis from what I understand.

> As in:
> Snort1         Snort2
>   |_______________|
>       |     |    
>       |     |    
>       |     |    
>       |     |    
>       ------
>        MySQL
> Snort1 and Snort2 simultaneously insert new event via:
> INSERT into event (1,,'xxx','2000-11-06 12:55:23');
> INSERT into event (2,,'xxx','2000-11-06 12:55:23');
> Snort1 and Snort2 then both do LAST_INSERT_ID() and get returned different
> cid's which they then use for the rest of the transaction. Wouldn't that
> work? As it is, with different sensors there shouldn't be any locking issues
> anyway?

This would work for MySQL. Nevertheless, not every database implements
this type of functionality the same way and one of the goals of the
database plugin is code reuse easy portability to make it easy to add
support for a new database. Also, it would require a select query for
every snort alert in addition to your inserts so it could slow you
down a couple msecs per alert.

If possible I would like to narrow down the cause of the error you are
experiencing. If you could recompile with a #define DEBUG at the top
of spo_database.c and send along the results when you run snort and
experience this error I would appreciate it. Also what version of
snort and mysql you are using?

* Jed

More information about the Snort-users mailing list