[Snort-users] logging to MySql....stumped
chris at ...6400...
Tue Jul 22 04:54:06 EDT 2003
Scott Renna wrote:
> Now that I've gotten some help in editing configure.in in Barnyard to
> work with MySQLServer 4.0....it's up and running and seems to be doing
> its job. It's no longer producing any errors however, it doesn't look
> like it's actually logging to ACID. I've run a few port scans and snort
> is picking up the scans and creating alert and log files. ACID is not
> displaying the result however.
I've submitted this information to Andrew and Marty, so hopefully it
will be corrected in future releases.
Anyway, i had the same problem, and after closer examination i found
that "zero" dates/times were being inserted into the database.
This happens (from what i've gathered) because the date/time string that
barnyard inserts, isn't compatible with MySQLs 'DATETIME' datatype,
resulting in an error, and MySQL ends up inserting 'null' date strings
(which is why - i think - you dont see anything in acid, as all the
events occurred on 00-00-0000 at 00:00!) ;)
The following trivial patch should get it going (hopefully it's not
line-wrapped beyond recognition):
--- barnyard-0.1.0/src/util.c.orig 2003-07-20 10:46:43.000000000 +1000
+++ barnyard-0.1.0/src/util.c 2003-07-20 10:46:51.000000000 +1000
@@ -508,7 +508,7 @@
lt = localtime(&timet);
- return strftime(timebuf, len, "%Y-%m-%d %H:%M:%S %z", lt);
+ return strftime(timebuf, len, "%Y-%m-%d %H:%M:%S%z", lt);
lt = gmtime(&timet);
More information about the Snort-users