[Snort-users] ACID Archiving on Postgresql
hugh_fraser at ...2804...
Thu Sep 6 10:15:03 EDT 2001
It appears that the pre-processors do not include a sig_class_id or
sig_priority. If specified in the insert statement, they're required to be
int8 values, but they're not required fields. However, the archive code
explicitly copies these values over, and postgres balks because the fields
There's a few solutions, probably in order of preference, but I'm not one
for the developers and don't understand the implications.
1. Change the archiving code to exclude NULL fields.
2. Change the plugins to include a non-NULL value for these fields.
3. Add a trigger to the signature table to force a value for the fields. Not
having the time to dig through the code, this was my quick solution.
> -----Original Message-----
> From: leE [SMTP:lee at ...3342...]
> Sent: Thursday, September 06, 2001 11:55 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] ACID Archiving on Postgresql
> On Thu, Sep 06, 2001 at 03:21:59PM +0100, leE wrote:
> > Hi,
> > I've seen this posted to the lists a couple of times, but without
> resolution. So I'm hoping by reposting I might add some previously
> missing detail, or someone will be insipered with the solution or
> something ;)
> > In my case (and all the other posts I've seen) this occurs when trying
> to use the archiving option in ACID with a postgresql backend. The
> archive database seems to be fine and all other queries work ok. However
> when the archive command is submitted I get this (ACID is in debug mode):
> > Gathering elements from 50 alert blobs
> > 1 - 488766
> > Checking for DB abstraction lib in '/data/www/adodb/adodb.inc.php'
> > Database ERROR:ERROR: Bad int8 external representation ""
> > This happens irrespective of which critera I am using to archive the
> events and how many I am trying to archive at once.
> > Any ideas more than welcome ;)
> Apologies for the broken subject on that, what can I say? Mail
> client trauma ;)
> Lee Brotherston - <lee at ...3342...>
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users