[Snort-users] Problem with Snort/PostgreSQL
Johan.Sunnerstig at ...6624...
Mon Dec 9 08:51:08 EST 2002
Im trying to setup snort on a Linux box, with Postgres as the backend DB.
I've setup the DB, with a user named "snort", and then I let that user
create the snort database using the create_postgresql script that comes with
However when I run Snort from the command line using the following command:
"snort -c /etc/snort/snort.conf" it dies after trying to do initial DB
I've attached the error message I get when running Snort to the bottom of
I found a few posts in mailinglist archives relating to a bug in the
PostgreSQL module in Snort 1.9.0, and there was a suggested fix, inserting
the sensor info into the sensor table manually.
I tried this as described in that post, by doing INSERT INTO sensor (sid,
hostname, last_cid) VALUES (1, 'westmalle', 1); , to no avail, I still get
the same error.
The only change I've made to the snort.conf file is uncommenting and
modifying the output to output to Postgres, as follows:
output database: log, postgresql, dbname=snort user=snort port=5432
Anyone got any ideas?
Compaq Proliant ML350
RedHat Linux 8.0
Snort 1.9.0 /w postgresql support(installed the 1.9.0 RPM and the Postgres
support RPM on the snort site)
Any input would be greatly sppreciated.
Log stuff below here
[root at ...7684... root]# snort -c /etc/snort/snort.conf
Initializing Output Plugins!
Log directory = /var/log/snort
Initializing Network Interface eth0
--== Initializing Snort ==--
Decoding Ethernet on interface eth0
Parsing Rules file /etc/snort/snort.conf
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
Fragment min_ttl: 0
Fragment ttl_limit: 5
Fragment Problems: 0
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: ACTIVE
Log Flushed Streams: INACTIVE
TTL Limit: 5
Async Link: 0
No arguments to stream4_reassemble, setting defaults:
Reassemble client: ACTIVE
Reassemble server: INACTIVE
Reassemble ports: 21 23 25 53 80 143 110 111 513
Reassembly alerts: ACTIVE
Reassembly method: FAVOR_OLD
IIS alternate Unicode decoding
IIS double encoding vuln
Flip backslash to slash
Include additional whitespace separators
Ports to decode http on: 80
Ports to decode RPC on: 111 32771
Ports to decode telnet on: 21 23 25 119
Conv Count: 32000
Timeout : 60
Alert Odd?: 0
Allowed IP Protocols: All
database: compiled support for ( postgresql )
database: configured to use postgresql
database: database name = snort
database: user = snort
database: sensor name = 172.22.3.71
database: postgresql_error: ERROR: ExecAppend: Fail to add null value in
not null attribute last_cid
database: Problem obtaining SENSOR ID (sid) from snort->sensor
When this plugin starts, a SELECT query is run to find the sensor id for
currently running sensor. If the sensor id is not found, the plugin will
an INSERT query to insert the proper data and generate a new sensor id.
SELECT query is run to get the newly allocated sensor id. If that fails
this error message is generated.
Some possible causes for this error are:
* the user does not have proper INSERT or SELECT privileges
* the sensor table does not exist
If you are _absolutely_ certain that you have the proper privileges set and
that your database structure is built properly please let me know if you
continue to get this error. You can contact me at (roman at ...438...).
Fatal Error, Quitting..
How many Microsoft engineers are needed to screw a light bulb ??
None. Microsoft declares darkness the standard.
More information about the Snort-users