[Snort-users] logging to MySql....stumped

Scott Renna srenna at ...9588...
Tue Jul 22 05:33:21 EDT 2003


Would I have better luck dumping it to a PostgreSQL database?   I've
noticed in Barnyard's output when it doesn't have anything it's picking
up, entries are just shown as time 00:00:00.  I forget the date that it
defaults to but it's definitely not the current one.

I'm going to try this patch out and let you know on the results.

Scott

***************************
Scott Renna
Head Systems Administrator
Dynamic Animation Systems
703-503-0500

*************************** 

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Chris
Keladis
Sent: Tuesday, July 22, 2003 7:53 AM
To: Scott Renna
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] logging to MySql....stumped


Scott Renna wrote:

Hi Scott,

> Now that I've gotten some help in editing configure.in in Barnyard to 
> work with MySQLServer 4.0....it's up and running and seems to be doing

> its job.  It's no longer producing any errors however, it doesn't look

> like it's actually logging to ACID.  I've run a few port scans and 
> snort is picking up the scans and creating alert and log files.  ACID 
> is not displaying the result however.

I've submitted this information to Andrew and Marty, so hopefully it 
will be corrected in future releases.

Anyway, i had the same problem, and after closer examination i found 
that "zero" dates/times were being inserted into the database.

This happens (from what i've gathered) because the date/time string that

  barnyard inserts, isn't compatible with MySQLs 'DATETIME' datatype, 
resulting in an error, and MySQL ends up inserting 'null' date strings 
(which is why - i think - you dont see anything in acid, as all the 
events occurred on 00-00-0000 at 00:00!) ;)


The following trivial patch should get it going (hopefully it's not 
line-wrapped beyond recognition):


--- barnyard-0.1.0/src/util.c.orig      2003-07-20 10:46:43.000000000
+1000
+++ barnyard-0.1.0/src/util.c   2003-07-20 10:46:51.000000000 +1000
@@ -508,7 +508,7 @@
      if(pv.localtime)
      {
          lt = localtime(&timet);
-        return strftime(timebuf, len, "%Y-%m-%d %H:%M:%S %z", lt);
+        return strftime(timebuf, len, "%Y-%m-%d %H:%M:%S%z", lt);
      }

      lt = gmtime(&timet);





YMMV,

Chris.



-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list