[Snort-users] v2.8.4 incorrect logging to MySQL

Matt Watchinski mwatchinski at ...1935...
Sat Apr 11 15:16:17 EDT 2009


Turn on mysql query logging and see if snort its trying to insert to
those tables.  It doesn't looks like much changed in spo_database.c

Cheers,
-matt

On Sat, Apr 11, 2009 at 1:32 PM, Stephen Reese <rsreese at ...11827...> wrote:
> Also note I start with an empty DB and I meant Snort Version 2.8.4 (Build 26)
>
> On Sat, Apr 11, 2009 at 1:27 PM, Stephen Reese <rsreese at ...11827...> wrote:
>> On Sat, Apr 11, 2009 at 1:11 PM, Danny Paul <JDPAUL at ...14548...> wrote:
>>> Well, like I said - it's writing to the events table, but it's not writing to the sensors or signatures table.  Of course if those tables were already populated (in an upgrade situation, for example) that would not be a big issue until new signatures came out or new sensors came online. In my case I was doing a test install before upgrade and noticed that the new version no longer would populate those two tables.
>>>
>>> Can anyone else duplicate this? Obviously you'd have to start with an empty database. :-)
>>
>> Correction, mine is also not writing to the sensor or signature tables.
>>
>> Base 1.4.1, Snort 2.8.1, and 5.0.32 on Linux debian 2.6.18-6-686
>>
>> $ mysql -uroot -p -D snort -e "select count(*) from event"
>> +----------+
>> | count(*) |
>> +----------+
>> |       57 |
>> +----------+
>>
>> $ mysql -uroot -p -D snort -e "select count(*) from signature"
>> +----------+
>> | count(*) |
>> +----------+
>> |        0 |
>> +----------+
>>
>> $ mysql -uroot -p -D snort -e "select count(*) from sensor"
>> +----------+
>> | count(*) |
>> +----------+
>> |        0 |
>> +----------+
>>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> High Quality Requirements in a Collaborative Environment.
> Download a free trial of Rational Requirements Composer Now!
> http://p.sf.net/sfu/www-ibm-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/




More information about the Snort-users mailing list