[Snort-users] Are there known bugs in the odbc output plugin WRT FreeTDS and unixODBC?

McCash, John John.McCash at ...10979...
Wed Apr 28 14:11:04 EDT 2004

Marty, please lend us your wisdom...

I've been trying to get snort logging into a MS SQL 2000 database for a bit now, and I've hit something that may be a bug, but I'm not sure in what. I've got the database set up on the MS side using the supplied schema files, and I have unixODBC and FreeTDS configured to talk to it. I can use the isql application that comes with unixODBC to make queries against those parts of the database that are populated (services, flags, etc.)  I can also use it to insert entries and tables, as I confirmed by deleting the flags table, and reconstituting it using isql. Unfortunately, no matter what I do, I still get the same message when I start up snort.

"Apr 28 15:39:15 aopsecurityserver snort: database: Problem obtaining SENSOR ID (sid) from AOPSECDB->sensor
Apr 28 15:39:15 aopsecurityserver snort: FATAL ERROR:   When this plugin starts, a SELECT query is run to find the sensor id for the
  currently running sensor. If the sensor id is not found, the plugin will run  an INSERT query to insert the proper data and genera
te a new sensor id. Then a  SELECT query is run to get the newly allocated sensor id. If that fails then  this error message is gene
rated.   Some possible causes for this error are:   * the user does not have proper INSERT or SELECT privileges   * the sensor table
 does not exist   If you are _absolutely_ certain that you have the proper privileges set and  that your database structure is built
 properly please let me know if you  continue to get this error. You can contact me at (roman at ...438...).
Apr 28 15:39:15 aopsecurityserver kernel: device eth0 left promiscuous mode"

This seems to me to be a bug in the odbc output plugin, but may be a problem with unixODBC or FreeTDS. Does anyone have enough experience in this area to tell me how to debug this further?
This message is for the designated recipient only and may
contain privileged, proprietary, or otherwise private information.  
If you have received it in error, please notify the sender
immediately and delete the original.  Any unauthorized use of
this email is prohibited.

More information about the Snort-users mailing list