[Snort-users] R: v2.8.4 incorrect logging to MySQL: PATCH

snortml at ...14556... snortml at ...14556...
Mon Apr 13 10:17:16 EDT 2009


I'm having exactly the same problem: fresh 2.8.4 install with mysql output:
sensor table never gets inserted a row.

I think I have found the problem and produced a simple patch but please,
revise it: I'm not a coder, and have no particular experience with snort. So
I'm not sure my patch can not have some side-effecs.

That said, the problem seems to be in Select() in
src/output-plugins/spo_database.c , in the portion of the function used with
the mysql db (I did not examine other dbs' code).
This function makes a SQL SELECT and, upon success, returns the fetched
value converted to integer. When it encounters an error, returns 0.
But, as a special case, when the query was successfull but did not yeld any
row, it returns 1. There is no distinction whether the "1" returned was
because the value "1" was fetched from the DB, or simply the DB did not
return any row.
As a consequence, when this code is executed:

    data->shared->sid = Select(select_sensor_id,data);
    if(data->shared->sid == 0)
    {
        Insert(insert_into_sensor,data);

the Select() returns 1, and the Insert() is never done.
So the sensor table remains empty.

My patch is just as simple as:

# diff -ubB spo_database.c.orig spo_database.c
--- spo_database.c.orig      2009-04-13 16:03:49.000000000 +0200
+++ spo_database.c   2009-04-13 15:59:53.000000000 +0200
@@ -2798,6 +2798,14 @@
                     {
                         result = atoi(data->m_row[0]);
                     }
+                    else
+                    {
+                        result = 0;
+                    }
+                }
+                else
+                {
+                    result = 0;
                 }
             }
             mysql_free_result(data->m_result);

I simply return 0 (false) if the query was technically successfull, but no
result was found.

As I said, I would like some expert to revise the patch, since I don't know
if in ALL SITUATIONS it is right to return 0 (just like there was an error)
when we have no value returned. I'm just sure it's better to return 0 than
1.

Cheers
Luigi 



> Da: Danny Paul [mailto:JDPAUL at ...14549...] 

> I verified as well that no inserts were being made into the 
> signatures or sensors table.
> 
> Matt, seeing as how you work for sourcefire, are you 
> submitting this as a bug request on our behalf, or do I need 
> to do that?
> 
> >>> On 4/11/2009 at 5:11 PM, in message
> <665172f40904111511r29d51a9bha360b839e3239e0b at ...11828...>,
> <rsreese at ...11827...> wrote:
> > On Sat, Apr 11, 2009 at 3:16 PM, Matt Watchinski
> > <mwatchinski at ...1935...> wrote:
> >> Turn on mysql query logging and see if snort its trying to 
> insert to
> >> those tables.  It doesn't looks like much changed in spo_database.c
> >>
> >> Cheers,
> >> -matt
> > 
> > Here's a couple of queries from a ping that Snort picked up 
> on. There
> > are still no values appearing in the signature or sensor tables.
> > 
> > 
> >                      22 Query       INSERT INTO data
> > (sid,cid,data_payload) VALUES
> > 
> (1,80,'9614E149E973090008090A0B0C0D0E0F101112131415161718191A1
> B1C1D1E1F20212
> > 2232425262728292A2B2C2D2E2F3031323334353637')
> >                      22 Query       COMMIT
> >                      22 Query       BEGIN
> >                      22 Query       SELECT sig_id   FROM signature
> > WHERE sig_name = 'ICMP PING'    AND sig_rev = 5    AND sig_sid = 384
> >  AND sig_gid = 1
> >                      22 Query       INSERT INTO event
> > (sid,cid,signature,timestamp) VALUES (1, 81, 1, '2009-04-11 
> 18:07:20')
> >                      22 Query       INSERT INTO icmphdr (sid, cid,
> > icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) VALUES
> > (1,81,8,0,63192,44111,2)
> >                      22 Query       INSERT INTO iphdr (sid, cid,
> > ip_src, ip_dst, ip_ver, ip_hlen,        ip_tos, ip_len, ip_id,
> > ip_flags, ip_off,       ip_ttl, ip_proto, ip_csum) VALUES
> > (1,81,2886730504,2886730242,4,5,0,84,0,0,0,63,1,56958)
> >                      22 Query       INSERT INTO data
> > (sid,cid,data_payload) VALUES
> > 
> (1,81,'9614E149E973090008090A0B0C0D0E0F101112131415161718191A1
> B1C1D1E1F20212
> > 2232425262728292A2B2C2D2E2F3031323334353637')
> >                      22 Query       COMMIT
> > 090411 18:07:21      22 Query       BEGIN
> >                      22 Query       SELECT sig_id   FROM signature
> > WHERE sig_name = 'ICMP PING BSDtype'    AND sig_rev = 6    
> AND sig_sid
> > = 368    AND sig_gid = 1
> >                      22 Query       INSERT INTO event
> > (sid,cid,signature,timestamp) VALUES (1, 82, 1, '2009-04-11 
> 18:07:21')
> >                      22 Query       INSERT INTO icmphdr (sid, cid,
> > icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) VALUES
> > (1,82,8,0,45018,44111,3)
> >                      22 Query       INSERT INTO iphdr (sid, cid,
> > ip_src, ip_dst, ip_ver, ip_hlen,        ip_tos, ip_len, ip_id,
> > ip_flags, ip_off,       ip_ttl, ip_proto, ip_csum) VALUES
> > (1,82,2886730504,2886730242,4,5,0,84,0,0,0,64,1,56702)
> >                      22 Query       INSERT INTO data
> > (sid,cid,data_payload) VALUES
> > 
> (1,82,'9714E1492F71090008090A0B0C0D0E0F101112131415161718191A1
> B1C1D1E1F20212
> > 2232425262728292A2B2C2D2E2F3031323334353637')
> >                      22 Query       COMMIT
> >                      22 Query       BEGIN
> >                      22 Query       SELECT sig_id   FROM signature
> > WHERE sig_name = 'ICMP PING *NIX'    AND sig_rev = 7    AND 
> sig_sid =
> > 366    AND sig_gid = 1
> >                      22 Query       INSERT INTO event
> > (sid,cid,signature,timestamp) VALUES (1, 83, 1, '2009-04-11 
> 18:07:21')
> >                      22 Query       INSERT INTO icmphdr (sid, cid,
> > icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) VALUES
> > (1,83,8,0,45018,44111,3)
> >                      22 Query       INSERT INTO iphdr (sid, cid,
> > ip_src, ip_dst, ip_ver, ip_hlen,        ip_tos, ip_len, ip_id,
> > ip_flags, ip_off,       ip_ttl, ip_proto, ip_csum) VALUES
> > (1,83,2886730504,2886730242,4,5,0,84,0,0,0,64,1,56702)
> >                      22 Query       INSERT INTO data
> > (sid,cid,data_payload) VALUES
> > 
> (1,83,'9714E1492F71090008090A0B0C0D0E0F101112131415161718191A1
> B1C1D1E1F20212
> > 2232425262728292A2B2C2D2E2F3031323334353637')
> >                      22 Query       COMMIT
> >                      22 Query       BEGIN
> >                      22 Query       SELECT sig_id   FROM signature
> > WHERE sig_name = 'ICMP PING'    AND sig_rev = 5    AND sig_sid = 384
> >  AND sig_gid = 1
> >                      22 Query       INSERT INTO event
> > (sid,cid,signature,timestamp) VALUES (1, 84, 1, '2009-04-11 
> 18:07:21')
> >                      22 Query       INSERT INTO icmphdr (sid, cid,
> > icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) VALUES
> > (1,84,8,0,45018,44111,3)
> >                      22 Query       INSERT INTO iphdr (sid, cid,
> > ip_src, ip_dst, ip_ver, ip_hlen,        ip_tos, ip_len, ip_id,
> > ip_flags, ip_off,       ip_ttl, ip_proto, ip_csum) VALUES
> > (1,84,2886730504,2886730242,4,5,0,84,0,0,0,64,1,56702)
> >                      22 Query       INSERT INTO data
> > (sid,cid,data_payload) VALUES
> > 
> (1,84,'9714E1492F71090008090A0B0C0D0E0F101112131415161718191A1
> B1C1D1E1F20212
> > 2232425262728292A2B2C2D2E2F3031323334353637')
> >                      22 Query       COMMIT
> >                      22 Query       BEGIN
> >                      22 Query       SELECT sig_id   FROM signature
> > WHERE sig_name = 'ICMP PING BSDtype'    AND sig_rev = 6    
> AND sig_sid
> > = 368    AND sig_gid = 1
> >                      22 Query       INSERT INTO event
> > (sid,cid,signature,timestamp) VALUES (1, 85, 1, '2009-04-11 
> 18:07:21')
> >                      22 Query       INSERT INTO icmphdr (sid, cid,
> > icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) VALUES
> > (1,85,8,0,45018,44111,3)
> >                      22 Query       INSERT INTO iphdr (sid, cid,
> > ip_src, ip_dst, ip_ver, ip_hlen,        ip_tos, ip_len, ip_id,
> > ip_flags, ip_off,       ip_ttl, ip_proto, ip_csum) VALUES
> > (1,85,2886730504,2886730242,4,5,0,84,0,0,0,63,1,56958)
> >                      22 Query       INSERT INTO data
> > (sid,cid,data_payload) VALUES
> > 
> (1,85,'9714E1492F71090008090A0B0C0D0E0F101112131415161718191A1
> B1C1D1E1F20212
> > 2232425262728292A2B2C2D2E2F3031323334353637')
> >                      22 Query       COMMIT
> >                      22 Query       BEGIN
> >                      22 Query       SELECT sig_id   FROM signature
> > WHERE sig_name = 'ICMP PING *NIX'    AND sig_rev = 7    AND 
> sig_sid =
> > 366    AND sig_gid = 1
> >                      22 Query       INSERT INTO event
> > (sid,cid,signature,timestamp) VALUES (1, 86, 1, '2009-04-11 
> 18:07:21')
> >                      22 Query       INSERT INTO icmphdr (sid, cid,
> > icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) VALUES
> > (1,86,8,0,45018,44111,3)
> >                      22 Query       INSERT INTO iphdr (sid, cid,
> > ip_src, ip_dst, ip_ver, ip_hlen,        ip_tos, ip_len, ip_id,
> > ip_flags, ip_off,       ip_ttl, ip_proto, ip_csum) VALUES
> > (1,86,2886730504,2886730242,4,5,0,84,0,0,0,63,1,56958)
> > 
> > 
> --------------------------------------------------------------
> ----------------
> > This SF.net email is sponsored by:
> > High Quality Requirements in a Collaborative Environment.
> > Download a free trial of Rational Requirements Composer Now!
> > http://p.sf.net/sfu/www-ibm-com 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net 
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users 
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> ** Virus scanned by City of Columbia MO Email Firewall **
> 
> --------------------------------------------------------------
> ----------------
> This SF.net email is sponsored by:
> High Quality Requirements in a Collaborative Environment.
> Download a free trial of Rational Requirements Composer Now!
> http://p.sf.net/sfu/www-ibm-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list