[Snort-users] Error on db inserts

Clausing, James A (Jim), SOLCM jac at ...1982...
Mon Mar 4 06:36:18 EST 2002


Roman,
	Solaris 8 (sparc), The locale settings are nothing unusual
LC_MESSAGE=C, LC_CTYPE=en_US.ISO8859-1.  TZ=GMT if you care.  Also, see
below, some of the portscan and SPADE alerts actually work.  For SPADE, it
is only the threshold adjustment messages that cause the error, the actually
anomaly messages seem to go in fine.

---Jim

-----Original Message-----
From: Roman Danyliw [mailto:roman at ...438...]
Sent: Friday, March 01, 2002 3:05 PM
To: Clausing, James A (Jim), SOLCM
Cc: snort-devel at lists.sourceforge.net; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Error on db inserts


These INSERT errors make sense, because things like '+71071' are of course
not
valid timezones.  What platform are you running? What are your OS locale
settings?

You note that other events are logging fine (i.e. the normal rules), but
postscan alerts and certain SPADE messages cause issues.  Correct?

Roman

On Fri, 1 Mar 2002 13:44:37 -0500, "Clausing, James A \(Jim\), SOLCM"
<jac at ...1982...> wrote :

> Folks,
> 	I'm seeing some errors inserting into my postgresql database
> apparently from spp_portscan and spp_anomsensor.  I conclude this by
> correlating the following log messages.  I haven't looked at the code, to
> see if I could fix it (not enough hours in the day), but perhaps someone
who
> knows the code better than I can find the problem more quickly, note this
> occurs on 1.8.3 and all of the 1.8.4 betas.  From the looks of it, the
> problem is not with all of the messages.  For example, most of the SPADE
> messages are fine, the errors seem to occur on the 'threshold adjustment
> messages'.  From portscan, the errors come on the status and end messages,
> but not the 'PORTSCAN DETECTED' messages.  Hopefully, this helps.
> 
> ---Jim
> 
> 
> Mar  1 16:33:52 gauss snort: [ID 702911 local6.info] spp_portscan:
PORTSCAN
> DETECTED to port 21536 from 63.157.9.149 (STEALTH)

This one does not cause the error.

> Mar  1 16:33:56 gauss snort: [ID 702911 local6.info] spp_portscan:
portscan
> status from 63.157.9.149: 1 connections across 1 hosts: TCP(1), UDP(0)
> STEALTH
> Mar  1 16:33:56 gauss snort: [ID 702911 daemon.error] database:
> postgresql_error: ERROR:  Bad timestamp external representation
'2002-03-01
> 16:33:56+71071'
> Mar  1 16:34:00 gauss snort: [ID 702911 local6.info] spp_portscan: End of
> portscan from 63.157.9.149: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> Mar  1 16:34:00 gauss snort: [ID 702911 daemon.error] database:
> postgresql_error: ERROR:  Bad timestamp external representation
'2002-03-01
> 16:34:00+249582'
> 
> 
> Mar  1 16:40:29 gauss snort: [ID 702911 local6.info] spp_anomsensor:
> Threshold adjusted to 10.1959 after 18 alerts (of 4757)
> Mar  1 16:40:29 gauss snort: [ID 702911 daemon.error] database:
> postgresql_error: ERROR:  Bad timestamp external representation
'2002-03-01
> 16:40:29+71065'
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> 




More information about the Snort-users mailing list