[Snort-users] logging to MySql....stumped

Chris Keladis chris at ...6400...
Tue Jul 22 04:54:06 EDT 2003


Scott Renna wrote:

Hi Scott,

> Now that I've gotten some help in editing configure.in in Barnyard to
> work with MySQLServer 4.0....it's up and running and seems to be doing
> its job.  It's no longer producing any errors however, it doesn't look
> like it's actually logging to ACID.  I've run a few port scans and snort
> is picking up the scans and creating alert and log files.  ACID is not
> displaying the result however.

I've submitted this information to Andrew and Marty, so hopefully it 
will be corrected in future releases.

Anyway, i had the same problem, and after closer examination i found 
that "zero" dates/times were being inserted into the database.

This happens (from what i've gathered) because the date/time string that 
  barnyard inserts, isn't compatible with MySQLs 'DATETIME' datatype, 
resulting in an error, and MySQL ends up inserting 'null' date strings 
(which is why - i think - you dont see anything in acid, as all the 
events occurred on 00-00-0000 at 00:00!) ;)


The following trivial patch should get it going (hopefully it's not 
line-wrapped beyond recognition):


--- barnyard-0.1.0/src/util.c.orig      2003-07-20 10:46:43.000000000 +1000
+++ barnyard-0.1.0/src/util.c   2003-07-20 10:46:51.000000000 +1000
@@ -508,7 +508,7 @@
      if(pv.localtime)
      {
          lt = localtime(&timet);
-        return strftime(timebuf, len, "%Y-%m-%d %H:%M:%S %z", lt);
+        return strftime(timebuf, len, "%Y-%m-%d %H:%M:%S%z", lt);
      }

      lt = gmtime(&timet);





YMMV,

Chris.





More information about the Snort-users mailing list