[Snort-users] v2.8.4 incorrect logging to MySQL

Matt Watchinski mwatchinski at ...1935...
Mon Apr 13 10:20:56 EDT 2009


Yeah I opened a bug in the bug tracker for this.

-matt

On Mon, Apr 13, 2009 at 8:22 AM, Danny Paul <JDPAUL at ...14548...> wrote:
> I verified as well that no inserts were being made into the signatures or sensors table.
>
> Matt, seeing as how you work for sourcefire, are you submitting this as a bug request on our behalf, or do I need to do that?
>
>>>> On 4/11/2009 at 5:11 PM, in message
> <665172f40904111511r29d51a9bha360b839e3239e0b at ...11828...>,
> <rsreese at ...11827...> wrote:
>> On Sat, Apr 11, 2009 at 3:16 PM, Matt Watchinski
>> <mwatchinski at ...1935...> wrote:
>>> Turn on mysql query logging and see if snort its trying to insert to
>>> those tables.  It doesn't looks like much changed in spo_database.c
>>>
>>> Cheers,
>>> -matt
>>
>> Here's a couple of queries from a ping that Snort picked up on. There
>> are still no values appearing in the signature or sensor tables.
>>
>>
>>                      22 Query       INSERT INTO data
>> (sid,cid,data_payload) VALUES
>> (1,80,'9614E149E973090008090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20212
>> 2232425262728292A2B2C2D2E2F3031323334353637')
>>                      22 Query       COMMIT
>>                      22 Query       BEGIN
>>                      22 Query       SELECT sig_id   FROM signature
>> WHERE sig_name = 'ICMP PING'    AND sig_rev = 5    AND sig_sid = 384
>>  AND sig_gid = 1
>>                      22 Query       INSERT INTO event
>> (sid,cid,signature,timestamp) VALUES (1, 81, 1, '2009-04-11 18:07:20')
>>                      22 Query       INSERT INTO icmphdr (sid, cid,
>> icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) VALUES
>> (1,81,8,0,63192,44111,2)
>>                      22 Query       INSERT INTO iphdr (sid, cid,
>> ip_src, ip_dst, ip_ver, ip_hlen,        ip_tos, ip_len, ip_id,
>> ip_flags, ip_off,       ip_ttl, ip_proto, ip_csum) VALUES
>> (1,81,2886730504,2886730242,4,5,0,84,0,0,0,63,1,56958)
>>                      22 Query       INSERT INTO data
>> (sid,cid,data_payload) VALUES
>> (1,81,'9614E149E973090008090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20212
>> 2232425262728292A2B2C2D2E2F3031323334353637')
>>                      22 Query       COMMIT
>> 090411 18:07:21      22 Query       BEGIN
>>                      22 Query       SELECT sig_id   FROM signature
>> WHERE sig_name = 'ICMP PING BSDtype'    AND sig_rev = 6    AND sig_sid
>> = 368    AND sig_gid = 1
>>                      22 Query       INSERT INTO event
>> (sid,cid,signature,timestamp) VALUES (1, 82, 1, '2009-04-11 18:07:21')
>>                      22 Query       INSERT INTO icmphdr (sid, cid,
>> icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) VALUES
>> (1,82,8,0,45018,44111,3)
>>                      22 Query       INSERT INTO iphdr (sid, cid,
>> ip_src, ip_dst, ip_ver, ip_hlen,        ip_tos, ip_len, ip_id,
>> ip_flags, ip_off,       ip_ttl, ip_proto, ip_csum) VALUES
>> (1,82,2886730504,2886730242,4,5,0,84,0,0,0,64,1,56702)
>>                      22 Query       INSERT INTO data
>> (sid,cid,data_payload) VALUES
>> (1,82,'9714E1492F71090008090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20212
>> 2232425262728292A2B2C2D2E2F3031323334353637')
>>                      22 Query       COMMIT
>>                      22 Query       BEGIN
>>                      22 Query       SELECT sig_id   FROM signature
>> WHERE sig_name = 'ICMP PING *NIX'    AND sig_rev = 7    AND sig_sid =
>> 366    AND sig_gid = 1
>>                      22 Query       INSERT INTO event
>> (sid,cid,signature,timestamp) VALUES (1, 83, 1, '2009-04-11 18:07:21')
>>                      22 Query       INSERT INTO icmphdr (sid, cid,
>> icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) VALUES
>> (1,83,8,0,45018,44111,3)
>>                      22 Query       INSERT INTO iphdr (sid, cid,
>> ip_src, ip_dst, ip_ver, ip_hlen,        ip_tos, ip_len, ip_id,
>> ip_flags, ip_off,       ip_ttl, ip_proto, ip_csum) VALUES
>> (1,83,2886730504,2886730242,4,5,0,84,0,0,0,64,1,56702)
>>                      22 Query       INSERT INTO data
>> (sid,cid,data_payload) VALUES
>> (1,83,'9714E1492F71090008090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20212
>> 2232425262728292A2B2C2D2E2F3031323334353637')
>>                      22 Query       COMMIT
>>                      22 Query       BEGIN
>>                      22 Query       SELECT sig_id   FROM signature
>> WHERE sig_name = 'ICMP PING'    AND sig_rev = 5    AND sig_sid = 384
>>  AND sig_gid = 1
>>                      22 Query       INSERT INTO event
>> (sid,cid,signature,timestamp) VALUES (1, 84, 1, '2009-04-11 18:07:21')
>>                      22 Query       INSERT INTO icmphdr (sid, cid,
>> icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) VALUES
>> (1,84,8,0,45018,44111,3)
>>                      22 Query       INSERT INTO iphdr (sid, cid,
>> ip_src, ip_dst, ip_ver, ip_hlen,        ip_tos, ip_len, ip_id,
>> ip_flags, ip_off,       ip_ttl, ip_proto, ip_csum) VALUES
>> (1,84,2886730504,2886730242,4,5,0,84,0,0,0,64,1,56702)
>>                      22 Query       INSERT INTO data
>> (sid,cid,data_payload) VALUES
>> (1,84,'9714E1492F71090008090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20212
>> 2232425262728292A2B2C2D2E2F3031323334353637')
>>                      22 Query       COMMIT
>>                      22 Query       BEGIN
>>                      22 Query       SELECT sig_id   FROM signature
>> WHERE sig_name = 'ICMP PING BSDtype'    AND sig_rev = 6    AND sig_sid
>> = 368    AND sig_gid = 1
>>                      22 Query       INSERT INTO event
>> (sid,cid,signature,timestamp) VALUES (1, 85, 1, '2009-04-11 18:07:21')
>>                      22 Query       INSERT INTO icmphdr (sid, cid,
>> icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) VALUES
>> (1,85,8,0,45018,44111,3)
>>                      22 Query       INSERT INTO iphdr (sid, cid,
>> ip_src, ip_dst, ip_ver, ip_hlen,        ip_tos, ip_len, ip_id,
>> ip_flags, ip_off,       ip_ttl, ip_proto, ip_csum) VALUES
>> (1,85,2886730504,2886730242,4,5,0,84,0,0,0,63,1,56958)
>>                      22 Query       INSERT INTO data
>> (sid,cid,data_payload) VALUES
>> (1,85,'9714E1492F71090008090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20212
>> 2232425262728292A2B2C2D2E2F3031323334353637')
>>                      22 Query       COMMIT
>>                      22 Query       BEGIN
>>                      22 Query       SELECT sig_id   FROM signature
>> WHERE sig_name = 'ICMP PING *NIX'    AND sig_rev = 7    AND sig_sid =
>> 366    AND sig_gid = 1
>>                      22 Query       INSERT INTO event
>> (sid,cid,signature,timestamp) VALUES (1, 86, 1, '2009-04-11 18:07:21')
>>                      22 Query       INSERT INTO icmphdr (sid, cid,
>> icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) VALUES
>> (1,86,8,0,45018,44111,3)
>>                      22 Query       INSERT INTO iphdr (sid, cid,
>> ip_src, ip_dst, ip_ver, ip_hlen,        ip_tos, ip_len, ip_id,
>> ip_flags, ip_off,       ip_ttl, ip_proto, ip_csum) VALUES
>> (1,86,2886730504,2886730242,4,5,0,84,0,0,0,63,1,56958)
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by:
>> High Quality Requirements in a Collaborative Environment.
>> Download a free trial of Rational Requirements Composer Now!
>> http://p.sf.net/sfu/www-ibm-com
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> ** Virus scanned by City of Columbia MO Email Firewall **
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> High Quality Requirements in a Collaborative Environment.
> Download a free trial of Rational Requirements Composer Now!
> http://p.sf.net/sfu/www-ibm-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/




More information about the Snort-users mailing list