[Snort-users] Problem logging to postgres

Frank Knobbe fknobbe at ...652...
Thu Apr 24 09:47:14 EDT 2003


On Thu, 2003-04-24 at 11:07, Roger D. Vargas wrote:
> > I'm using Postgres without any problem. The only issue I've been facing was
> > due to the username to access the DB. I created specific Postgres users,
> > granted the rights (select, insert) as specified in documentation, but I was
> > still unable to make it run properly. I finally turned back to postgres
> > user, and had it working fine. Since we're in a hurry on that project, I'll
> > let run Snort with that user.

The issue was probably that you didn't give enough rights to the sensor
table. There is a 'misprint' in the documentation in regards to the
required rights.

> I tried, but it doesnt work anyway. Ill have to go back to 1.9 and try 
> postgres support in that version.

Snort works great with Postgres. Both the documentation and the
createpostgres have errors in them. I had sent a patch to Snort devel
some time ago.

For the rights, the doc should read:

          - First create a user - for this example we will use
"snortusr"
          - now grant the right privileges for that user 
          > grant INSERT,SELECT on snort.* to snortusr at ...274...;
+         - In addition, grant that user the UPDATE privilege on the
+           'sensor' table
+         > grant INSERT,SELECT,UPDATE on snort.sensor to
snortusr at ...274...;

The + marked lines were added. Also, there are several _SEQ tables that
Postgres creates. The snort user needs to have write access to those.

Here is what my table looks like:
                       Access privileges for database "snort"
 Schema |               Table                | Access privs (sanitized)
--------+------------------------------------+--------------------------------------
 public | data                               | {=,snort=ar
 public | detail                             | {=,snort=ar
 public | encoding                           | {=,snort=ar
 public | event                              | {=,snort=ar
 public | icmphdr                            | {=,snort=ar
 public | iphdr                              | {=,snort=ar
 public | opt                                | {=,snort=ar
 public | reference                          | {=,snort=ar
 public | reference_ref_id_seq               | {=,snort=arw
 public | reference_system                   | {=,snort=ar
 public | reference_system_ref_system_id_seq | {=,snort=arw
 public | schema                             | {=,snort=r
 public | sensor                             | {=,snort=ar
 public | sensor_sid_seq                     | {=,snort=arw,
 public | sig_class                          | {=,snort=ar
 public | sig_class_sig_class_id_seq         | {=,snort=arw
 public | sig_reference                      | {=,snort=ar
 public | signature                          | {=,snort=ar
 public | signature_sig_id_seq               | {=,snort=arw
 public | tcphdr                             | {=,snort=ar
 public | udphdr                             | {=,snort=ar


Also, in the createsql script, you need to change DATETIME to TIMESTAMP.
There is also a missing index:

Instead of:
CREATE INDEX sig_class_id ON signature (sig_class_id);

It should be:
CREATE INDEX sig_class_idx ON signature (sig_class_id);

Note the x at the end of idx.


Hope that helps. 

Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030424/c37542da/attachment.sig>


More information about the Snort-users mailing list