[Snort-users] R: v2.8.4 incorrect logging to MySQL: PATCH

Todd Wease twease at ...1935...
Mon Apr 13 11:07:37 EDT 2009


Thanks much Luigi.  That is the fix.


snortml at ...14556... wrote:
> I'm having exactly the same problem: fresh 2.8.4 install with mysql output:
> sensor table never gets inserted a row.
>
> I think I have found the problem and produced a simple patch but please,
> revise it: I'm not a coder, and have no particular experience with snort. So
> I'm not sure my patch can not have some side-effecs.
>
> That said, the problem seems to be in Select() in
> src/output-plugins/spo_database.c , in the portion of the function used with
> the mysql db (I did not examine other dbs' code).
> This function makes a SQL SELECT and, upon success, returns the fetched
> value converted to integer. When it encounters an error, returns 0.
> But, as a special case, when the query was successfull but did not yeld any
> row, it returns 1. There is no distinction whether the "1" returned was
> because the value "1" was fetched from the DB, or simply the DB did not
> return any row.
> As a consequence, when this code is executed:
>
>     data->shared->sid = Select(select_sensor_id,data);
>     if(data->shared->sid == 0)
>     {
>         Insert(insert_into_sensor,data);
>
> the Select() returns 1, and the Insert() is never done.
> So the sensor table remains empty.
>
> My patch is just as simple as:
>
> # diff -ubB spo_database.c.orig spo_database.c
> --- spo_database.c.orig      2009-04-13 16:03:49.000000000 +0200
> +++ spo_database.c   2009-04-13 15:59:53.000000000 +0200
> @@ -2798,6 +2798,14 @@
>                      {
>                          result = atoi(data->m_row[0]);
>                      }
> +                    else
> +                    {
> +                        result = 0;
> +                    }
> +                }
> +                else
> +                {
> +                    result = 0;
>                  }
>              }
>              mysql_free_result(data->m_result);
>
> I simply return 0 (false) if the query was technically successfull, but no
> result was found.
>
> As I said, I would like some expert to revise the patch, since I don't know
> if in ALL SITUATIONS it is right to return 0 (just like there was an error)
> when we have no value returned. I'm just sure it's better to return 0 than
> 1.
>
> Cheers
> Luigi 
>
>
>
>   
>> Da: Danny Paul [mailto:JDPAUL at ...14549...] 
>>     
>
>   
>> I verified as well that no inserts were being made into the 
>> signatures or sensors table.
>>
>> Matt, seeing as how you work for sourcefire, are you 
>> submitting this as a bug request on our behalf, or do I need 
>> to do that?
>>
>>     
>>>>> On 4/11/2009 at 5:11 PM, in message
>>>>>           
>> <665172f40904111511r29d51a9bha360b839e3239e0b at ...11828...>,
>> <rsreese at ...11827...> wrote:
>>     
>>> On Sat, Apr 11, 2009 at 3:16 PM, Matt Watchinski
>>> <mwatchinski at ...1935...> wrote:
>>>       
>>>> Turn on mysql query logging and see if snort its trying to 
>>>>         
>> insert to
>>     
>>>> those tables.  It doesn't looks like much changed in spo_database.c
>>>>
>>>> Cheers,
>>>> -matt
>>>>         
>>> Here's a couple of queries from a ping that Snort picked up 
>>>       
>> on. There
>>     
>>> are still no values appearing in the signature or sensor tables.
>>>
>>>
>>>                      22 Query       INSERT INTO data
>>> (sid,cid,data_payload) VALUES
>>>
>>>       
>> (1,80,'9614E149E973090008090A0B0C0D0E0F101112131415161718191A1
>> B1C1D1E1F20212
>>     
>>> 2232425262728292A2B2C2D2E2F3031323334353637')
>>>                      22 Query       COMMIT
>>>                      22 Query       BEGIN
>>>                      22 Query       SELECT sig_id   FROM signature
>>> WHERE sig_name = 'ICMP PING'    AND sig_rev = 5    AND sig_sid = 384
>>>  AND sig_gid = 1
>>>                      22 Query       INSERT INTO event
>>> (sid,cid,signature,timestamp) VALUES (1, 81, 1, '2009-04-11 
>>>       
>> 18:07:20')
>>     
>>>                      22 Query       INSERT INTO icmphdr (sid, cid,
>>> icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) VALUES
>>> (1,81,8,0,63192,44111,2)
>>>                      22 Query       INSERT INTO iphdr (sid, cid,
>>> ip_src, ip_dst, ip_ver, ip_hlen,        ip_tos, ip_len, ip_id,
>>> ip_flags, ip_off,       ip_ttl, ip_proto, ip_csum) VALUES
>>> (1,81,2886730504,2886730242,4,5,0,84,0,0,0,63,1,56958)
>>>                      22 Query       INSERT INTO data
>>> (sid,cid,data_payload) VALUES
>>>
>>>       
>> (1,81,'9614E149E973090008090A0B0C0D0E0F101112131415161718191A1
>> B1C1D1E1F20212
>>     
>>> 2232425262728292A2B2C2D2E2F3031323334353637')
>>>                      22 Query       COMMIT
>>> 090411 18:07:21      22 Query       BEGIN
>>>                      22 Query       SELECT sig_id   FROM signature
>>> WHERE sig_name = 'ICMP PING BSDtype'    AND sig_rev = 6    
>>>       
>> AND sig_sid
>>     
>>> = 368    AND sig_gid = 1
>>>                      22 Query       INSERT INTO event
>>> (sid,cid,signature,timestamp) VALUES (1, 82, 1, '2009-04-11 
>>>       
>> 18:07:21')
>>     
>>>                      22 Query       INSERT INTO icmphdr (sid, cid,
>>> icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) VALUES
>>> (1,82,8,0,45018,44111,3)
>>>                      22 Query       INSERT INTO iphdr (sid, cid,
>>> ip_src, ip_dst, ip_ver, ip_hlen,        ip_tos, ip_len, ip_id,
>>> ip_flags, ip_off,       ip_ttl, ip_proto, ip_csum) VALUES
>>> (1,82,2886730504,2886730242,4,5,0,84,0,0,0,64,1,56702)
>>>                      22 Query       INSERT INTO data
>>> (sid,cid,data_payload) VALUES
>>>
>>>       
>> (1,82,'9714E1492F71090008090A0B0C0D0E0F101112131415161718191A1
>> B1C1D1E1F20212
>>     
>>> 2232425262728292A2B2C2D2E2F3031323334353637')
>>>                      22 Query       COMMIT
>>>                      22 Query       BEGIN
>>>                      22 Query       SELECT sig_id   FROM signature
>>> WHERE sig_name = 'ICMP PING *NIX'    AND sig_rev = 7    AND 
>>>       
>> sig_sid =
>>     
>>> 366    AND sig_gid = 1
>>>                      22 Query       INSERT INTO event
>>> (sid,cid,signature,timestamp) VALUES (1, 83, 1, '2009-04-11 
>>>       
>> 18:07:21')
>>     
>>>                      22 Query       INSERT INTO icmphdr (sid, cid,
>>> icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) VALUES
>>> (1,83,8,0,45018,44111,3)
>>>                      22 Query       INSERT INTO iphdr (sid, cid,
>>> ip_src, ip_dst, ip_ver, ip_hlen,        ip_tos, ip_len, ip_id,
>>> ip_flags, ip_off,       ip_ttl, ip_proto, ip_csum) VALUES
>>> (1,83,2886730504,2886730242,4,5,0,84,0,0,0,64,1,56702)
>>>                      22 Query       INSERT INTO data
>>> (sid,cid,data_payload) VALUES
>>>
>>>       
>> (1,83,'9714E1492F71090008090A0B0C0D0E0F101112131415161718191A1
>> B1C1D1E1F20212
>>     
>>> 2232425262728292A2B2C2D2E2F3031323334353637')
>>>                      22 Query       COMMIT
>>>                      22 Query       BEGIN
>>>                      22 Query       SELECT sig_id   FROM signature
>>> WHERE sig_name = 'ICMP PING'    AND sig_rev = 5    AND sig_sid = 384
>>>  AND sig_gid = 1
>>>                      22 Query       INSERT INTO event
>>> (sid,cid,signature,timestamp) VALUES (1, 84, 1, '2009-04-11 
>>>       
>> 18:07:21')
>>     
>>>                      22 Query       INSERT INTO icmphdr (sid, cid,
>>> icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) VALUES
>>> (1,84,8,0,45018,44111,3)
>>>                      22 Query       INSERT INTO iphdr (sid, cid,
>>> ip_src, ip_dst, ip_ver, ip_hlen,        ip_tos, ip_len, ip_id,
>>> ip_flags, ip_off,       ip_ttl, ip_proto, ip_csum) VALUES
>>> (1,84,2886730504,2886730242,4,5,0,84,0,0,0,64,1,56702)
>>>                      22 Query       INSERT INTO data
>>> (sid,cid,data_payload) VALUES
>>>
>>>       
>> (1,84,'9714E1492F71090008090A0B0C0D0E0F101112131415161718191A1
>> B1C1D1E1F20212
>>     
>>> 2232425262728292A2B2C2D2E2F3031323334353637')
>>>                      22 Query       COMMIT
>>>                      22 Query       BEGIN
>>>                      22 Query       SELECT sig_id   FROM signature
>>> WHERE sig_name = 'ICMP PING BSDtype'    AND sig_rev = 6    
>>>       
>> AND sig_sid
>>     
>>> = 368    AND sig_gid = 1
>>>                      22 Query       INSERT INTO event
>>> (sid,cid,signature,timestamp) VALUES (1, 85, 1, '2009-04-11 
>>>       
>> 18:07:21')
>>     
>>>                      22 Query       INSERT INTO icmphdr (sid, cid,
>>> icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) VALUES
>>> (1,85,8,0,45018,44111,3)
>>>                      22 Query       INSERT INTO iphdr (sid, cid,
>>> ip_src, ip_dst, ip_ver, ip_hlen,        ip_tos, ip_len, ip_id,
>>> ip_flags, ip_off,       ip_ttl, ip_proto, ip_csum) VALUES
>>> (1,85,2886730504,2886730242,4,5,0,84,0,0,0,63,1,56958)
>>>                      22 Query       INSERT INTO data
>>> (sid,cid,data_payload) VALUES
>>>
>>>       
>> (1,85,'9714E1492F71090008090A0B0C0D0E0F101112131415161718191A1
>> B1C1D1E1F20212
>>     
>>> 2232425262728292A2B2C2D2E2F3031323334353637')
>>>                      22 Query       COMMIT
>>>                      22 Query       BEGIN
>>>                      22 Query       SELECT sig_id   FROM signature
>>> WHERE sig_name = 'ICMP PING *NIX'    AND sig_rev = 7    AND 
>>>       
>> sig_sid =
>>     
>>> 366    AND sig_gid = 1
>>>                      22 Query       INSERT INTO event
>>> (sid,cid,signature,timestamp) VALUES (1, 86, 1, '2009-04-11 
>>>       
>> 18:07:21')
>>     
>>>                      22 Query       INSERT INTO icmphdr (sid, cid,
>>> icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) VALUES
>>> (1,86,8,0,45018,44111,3)
>>>                      22 Query       INSERT INTO iphdr (sid, cid,
>>> ip_src, ip_dst, ip_ver, ip_hlen,        ip_tos, ip_len, ip_id,
>>> ip_flags, ip_off,       ip_ttl, ip_proto, ip_csum) VALUES
>>> (1,86,2886730504,2886730242,4,5,0,84,0,0,0,63,1,56958)
>>>
>>>
>>>       
>> --------------------------------------------------------------
>> ----------------
>>     
>>> This SF.net email is sponsored by:
>>> High Quality Requirements in a Collaborative Environment.
>>> Download a free trial of Rational Requirements Composer Now!
>>> http://p.sf.net/sfu/www-ibm-com 
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net 
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users 
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>       
>> ** Virus scanned by City of Columbia MO Email Firewall **
>>
>> --------------------------------------------------------------
>> ----------------
>> This SF.net email is sponsored by:
>> High Quality Requirements in a Collaborative Environment.
>> Download a free trial of Rational Requirements Composer Now!
>> http://p.sf.net/sfu/www-ibm-com
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>     
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> High Quality Requirements in a Collaborative Environment.
> Download a free trial of Rational Requirements Composer Now!
> http://p.sf.net/sfu/www-ibm-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>   





More information about the Snort-users mailing list