[Snort-users] R: v2.8.4 incorrect logging to MySQL: PATCH

Todd Wease twease at ...1935...
Tue Apr 14 10:28:24 EDT 2009


This fix will be in the next release, however a date has not been set
yet.  The patch Luigi posted is the same one that will be used.


Jason Wallace wrote:
> So should we expect to see a snort-2.8.4.1 out soon with this fix
> included? I'm getting ready to submit a new ebuild for Gentoo for
> snort 2.8.4. I can wait a couple of days if an official version with
> this fix is going to to be released soon. If not, I can add this patch
> to my build process.
>
> Thx,
> Wally
>
> On Mon, Apr 13, 2009 at 3:15 PM, Stephen Reese <rsreese at ...11827...> wrote:
>   
>> On Mon, Apr 13, 2009 at 11:07 AM, Todd Wease <twease at ...1935...> wrote:
>>     
>>> Thanks much Luigi.  That is the fix.
>>>
>>>
>>> snortml at ...14556... wrote:
>>>       
>>>> I'm having exactly the same problem: fresh 2.8.4 install with mysql output:
>>>> sensor table never gets inserted a row.
>>>>
>>>> I think I have found the problem and produced a simple patch but please,
>>>> revise it: I'm not a coder, and have no particular experience with snort. So
>>>> I'm not sure my patch can not have some side-effecs.
>>>>
>>>> That said, the problem seems to be in Select() in
>>>> src/output-plugins/spo_database.c , in the portion of the function used with
>>>> the mysql db (I did not examine other dbs' code).
>>>> This function makes a SQL SELECT and, upon success, returns the fetched
>>>> value converted to integer. When it encounters an error, returns 0.
>>>> But, as a special case, when the query was successfull but did not yeld any
>>>> row, it returns 1. There is no distinction whether the "1" returned was
>>>> because the value "1" was fetched from the DB, or simply the DB did not
>>>> return any row.
>>>> As a consequence, when this code is executed:
>>>>
>>>>     data->shared->sid = Select(select_sensor_id,data);
>>>>     if(data->shared->sid == 0)
>>>>     {
>>>>         Insert(insert_into_sensor,data);
>>>>
>>>> the Select() returns 1, and the Insert() is never done.
>>>> So the sensor table remains empty.
>>>>
>>>> My patch is just as simple as:
>>>>
>>>> # diff -ubB spo_database.c.orig spo_database.c
>>>> --- spo_database.c.orig      2009-04-13 16:03:49.000000000 +0200
>>>> +++ spo_database.c   2009-04-13 15:59:53.000000000 +0200
>>>> @@ -2798,6 +2798,14 @@
>>>>                      {
>>>>                          result = atoi(data->m_row[0]);
>>>>                      }
>>>> +                    else
>>>> +                    {
>>>> +                        result = 0;
>>>> +                    }
>>>> +                }
>>>> +                else
>>>> +                {
>>>> +                    result = 0;
>>>>                  }
>>>>              }
>>>>              mysql_free_result(data->m_result);
>>>>
>>>> I simply return 0 (false) if the query was technically successfull, but no
>>>> result was found.
>>>>         
>> Also worked for me, thanks!
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by:
>> High Quality Requirements in a Collaborative Environment.
>> Download a free trial of Rational Requirements Composer Now!
>> http://p.sf.net/sfu/www-ibm-com
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>     
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> High Quality Requirements in a Collaborative Environment.
> Download a free trial of Rational Requirements Composer Now!
> http://p.sf.net/sfu/www-ibm-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>   





More information about the Snort-users mailing list