[Snort-users] R: v2.8.4 incorrect logging to MySQL: PATCH

Jason Wallace jason.r.wallace at ...11827...
Tue Apr 14 10:31:50 EDT 2009


Thx for the reply, Todd. I'll include the patch in the ebuild, and
remove it when the next version come out.

Thx,
Wally

On Tue, Apr 14, 2009 at 10:28 AM, Todd Wease <twease at ...1935...> wrote:
> This fix will be in the next release, however a date has not been set
> yet.  The patch Luigi posted is the same one that will be used.
>
>
> Jason Wallace wrote:
>> So should we expect to see a snort-2.8.4.1 out soon with this fix
>> included? I'm getting ready to submit a new ebuild for Gentoo for
>> snort 2.8.4. I can wait a couple of days if an official version with
>> this fix is going to to be released soon. If not, I can add this patch
>> to my build process.
>>
>> Thx,
>> Wally
>>
>> On Mon, Apr 13, 2009 at 3:15 PM, Stephen Reese <rsreese at ...11827...> wrote:
>>
>>> On Mon, Apr 13, 2009 at 11:07 AM, Todd Wease <twease at ...1935...> wrote:
>>>
>>>> Thanks much Luigi.  That is the fix.
>>>>
>>>>
>>>> snortml at ...14556... wrote:
>>>>
>>>>> I'm having exactly the same problem: fresh 2.8.4 install with mysql output:
>>>>> sensor table never gets inserted a row.
>>>>>
>>>>> I think I have found the problem and produced a simple patch but please,
>>>>> revise it: I'm not a coder, and have no particular experience with snort. So
>>>>> I'm not sure my patch can not have some side-effecs.
>>>>>
>>>>> That said, the problem seems to be in Select() in
>>>>> src/output-plugins/spo_database.c , in the portion of the function used with
>>>>> the mysql db (I did not examine other dbs' code).
>>>>> This function makes a SQL SELECT and, upon success, returns the fetched
>>>>> value converted to integer. When it encounters an error, returns 0.
>>>>> But, as a special case, when the query was successfull but did not yeld any
>>>>> row, it returns 1. There is no distinction whether the "1" returned was
>>>>> because the value "1" was fetched from the DB, or simply the DB did not
>>>>> return any row.
>>>>> As a consequence, when this code is executed:
>>>>>
>>>>>     data->shared->sid = Select(select_sensor_id,data);
>>>>>     if(data->shared->sid == 0)
>>>>>     {
>>>>>         Insert(insert_into_sensor,data);
>>>>>
>>>>> the Select() returns 1, and the Insert() is never done.
>>>>> So the sensor table remains empty.
>>>>>
>>>>> My patch is just as simple as:
>>>>>
>>>>> # diff -ubB spo_database.c.orig spo_database.c
>>>>> --- spo_database.c.orig      2009-04-13 16:03:49.000000000 +0200
>>>>> +++ spo_database.c   2009-04-13 15:59:53.000000000 +0200
>>>>> @@ -2798,6 +2798,14 @@
>>>>>                      {
>>>>>                          result = atoi(data->m_row[0]);
>>>>>                      }
>>>>> +                    else
>>>>> +                    {
>>>>> +                        result = 0;
>>>>> +                    }
>>>>> +                }
>>>>> +                else
>>>>> +                {
>>>>> +                    result = 0;
>>>>>                  }
>>>>>              }
>>>>>              mysql_free_result(data->m_result);
>>>>>
>>>>> I simply return 0 (false) if the query was technically successfull, but no
>>>>> result was found.
>>>>>
>>> Also worked for me, thanks!
>>>
>>> ------------------------------------------------------------------------------
>>> This SF.net email is sponsored by:
>>> High Quality Requirements in a Collaborative Environment.
>>> Download a free trial of Rational Requirements Composer Now!
>>> http://p.sf.net/sfu/www-ibm-com
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>>
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by:
>> High Quality Requirements in a Collaborative Environment.
>> Download a free trial of Rational Requirements Composer Now!
>> http://p.sf.net/sfu/www-ibm-com
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>




More information about the Snort-users mailing list