[Snort-users] Oracle output

Esler, Joel - Contractor joel.esler at ...9426...
Tue Nov 23 13:37:08 EST 2004


We have discovered a problem with the Oracle output processor when
encoding is ASCII.  (We have not tried hex)

However, in the oracle database since the data_payload is stored as a
"BLOB" the following change must be made.

# diff spo_database2.c spo_database.c
1612c1612
<                             "VALUES ('%u','%u','%s",
---
>                             "VALUES
('%u','%u',utl_raw.cast_to_raw('%s",
1616c1616
<                     strcat(query->val, "')");
---
>                     strcat(query->val, "'))");

We have discovered a lot of other problems too when two Snort boxes log
to the same DB.  We're working this issue out.  More to follow
(hopefully)

Joel Esler, GCIA




More information about the Snort-users mailing list