[Snort-users] PostgreSQL problem

Michael Steele michaels at ...9057...
Sat Sep 8 15:45:47 EDT 2012


I thought I'd post this as it seems to be a fix for PostgreSQL, BASE 1.4.5,
and ADODB above version 515 that generates this error:

Apache24\htdocs\base\base_qry_alert.php:535: db->DB->MetaColumnNames('data')
is NOT an array. Ignoring

What I found was that reverting back to Adodb-515 from adodb-517 resolved
all errors, and the event payload could be viewed in the BASE console.

It was as simple as removing Adodb-517 and installing Adodb-515. However if
there is a message at the top of the event that states 'Alert Deleted' then
all the events will need to be deleted through the BASE console, and all
should be normal.

This seems to only be happening with PostgreSQL and using Adodb above
version 515.

During this process I went as far back as installing PostgreSQL 8.2.20-1
with the same results using ADODB above version 515.
 
Kindest Regards,
Michael

-----Original Message-----
From: beenph [mailto:beenph at ...11827...] 
Sent: Saturday, September 08, 2012 2:07 AM
To: Michael Steele
Subject: Re: PostgreSQL problem

In your sensor table, which encoding are you  using for your sensor?

HEX?
ASCII?
BASE64?

-elz


On Fri, Sep 7, 2012 at 9:28 PM, beenph <beenph at ...11827...> wrote:
> On Fri, Sep 7, 2012 at 7:06 PM, Michael Steele <michaels at ...9057...>
wrote:
>> I don't remember seeing it before. Base hasn't changed. I'm compiling 
>> 304 now. I see by searching Google that this seems to be happening 
>> with the latest Snort and Barnyard 303?
>>
>> http://comments.gmane.org/gmane.comp.security.ids.snort.general/37358
>>
> Sorry i do not see the issue betwen the Link you send and the issue 
> you previously mentionned, nothing @ all.
>
>
> Now the issue your trying to show me is from BASE, i look at the sql 
> that is produced/dumped from wherever and its clearly has nothing to 
> do with the schema where events are stored.
>
>
> FYI build version is now 309 i suggest you pull it (its in stable 
> branch in my github)
>
>
> -elz
>
>
>
>> Kindest Regards,
>> Michael Steele
>>
>>
>> -----Original Message-----
>> From: beenph [mailto:beenph at ...11827...]
>> Sent: Friday, September 07, 2012 6:55 PM
>> To: Michael Steele
>> Subject: Re: PostgreSQL problem
>>
>> That seem's to be a base issue not a by2 issue isin't?
>>
>>
>> On Fri, Sep 7, 2012 at 6:47 PM, Michael Steele <michaels at ...9057...>
wrote:
>>> There seems to be a break somewhere. This is not happening to MySQL 
>>> but is to PostgreSQL.
>>>
>>> When I view the alert is shows this:
>>>
>>> D:\winids\Apache24\htdocs\base\base_qry_alert.php:535:
>>> db->DB->MetaColumnNames('data') is NOT an array. Ignoring.
>>>
>>> Using the latest version of Barnyard2 303
>>>
>>> D:\winids\Apache24\htdocs\base\base_qry_alert.php:108:
>>> db->DB->MetaColumnNames('data') is NOT an array. Ignoring.
>>>
>>>
>>>
>>> #0  PrintPcapDownload(baseCon Object ([DB] => ADODB_postgres7 Object 
>>> ([databaseType] => postgres7,[hasLimit] => 1,[ansiOuter] => 
>>> 1,[charSet] => 1,[metaColumnsSQL] => SELECT a.attname,
>>>
>>> CASE
>>>
>>>
>>> WHEN x.sequence_name != '' THEN 'SERIAL'
>>>
>>> ELSE t.typname
>>>
>>> END AS typname,
>>>
>>> a.attlen,a.atttypmod,a.attnotnull,a.atthasdef,a.attnum
>>>                                                  FROM pg_class c, 
>>> pg_attribute a
>>>                                                  JOIN pg_type t ON 
>>> a.atttypid = t.oid
>>>                                                  LEFT JOIN
>>>
>>> (SELECT c.relname as sequence_name,
>>>
>>> c1.relname as related_table,
>>>
>>> a.attname as related_column
>>>
>>> FROM pg_class c
>>>
>>> JOIN pg_depend d ON d.objid = c.oid
>>>
>>> LEFT JOIN pg_class c1 ON d.refobjid = c1.oid
>>>
>>> LEFT JOIN pg_attribute a ON (d.refobjid, d.refobjsubid) = 
>>> (a.attrelid,
>>> a.attnum)
>>>
>>> WHERE c.relkind = 'S' AND c1.relname = '%s') x
>>>
>>> ON x.related_column= a.attname
>>>                                                  WHERE c.relkind in
>>> ('r','v') AND
>>>
>>> (c.relname='%s' or c.relname = lower('%s')) AND
>>>
>>> a.attname not like '....%%' AND
>>>
>>> a.attnum > 0 AND
>>>
>>> a.attrelid = c.oid
>>>                                                  ORDER BY 
>>> a.attnum,[metaColumnsSQL1] =>
>>>                                                  SELECT a.attname,
>>>
>>> CASE
>>>
>>>
>>> WHEN x.sequence_name != '' THEN 'SERIAL'
>>>
>>> ELSE t.typname
>>>
>>> END AS typname,
>>>
>>> a.attlen, a.atttypmod, a.attnotnull, a.atthasdef, a.attnum
>>>                                                  FROM pg_class c, 
>>> pg_namespace n, pg_attribute a
>>>                                                  JOIN pg_type t ON 
>>> a.atttypid = t.oid
>>>                                                  LEFT JOIN
>>>
>>> (SELECT c.relname as sequence_name,
>>>
>>> c1.relname as related_table,
>>>
>>> a.attname as related_column
>>>
>>> FROM pg_class c
>>>
>>> JOIN pg_depend d ON d.objid = c.oid
>>>
>>> LEFT JOIN pg_class c1 ON d.refobjid = c1.oid
>>>
>>> LEFT JOIN pg_attribute a ON (d.refobjid, d.refobjsubid) = 
>>> (a.attrelid,
>>> a.attnum)
>>>
>>> WHERE c.relkind = 'S' AND c1.relname = '%s') x
>>>
>>> ON x.related_column= a.attname
>>>                                                  WHERE c.relkind in
>>> ('r','v') AND (c.relname='%s' or c.relname = lower('%s'))
>>>
>>> AND c.relnamespace=n.oid and n.nspname='%s'
>>>
>>> AND a.attname not like '....%%' AND a.attnum > 0
>>>
>>> AND a.atttypid = t.oid AND a.attrelid = c.oid
>>>                                                  ORDER BY 
>>> a.attnum,[dataProvider] => postgres,[hasInsertID] => 1,[_resultid] 
>>> => Resource id #62,[concat_operator] => ||,[metaDatabasesSQL] => 
>>> select datname from pg_database where datname not in
>>> ('template0','template1') order by 1,[metaTablesSQL] => select 
>>> tablename,'T' from pg_tables where tablename not like 'pg\_%'
>>>         and tablename not in ('sql_features', 
>>> 'sql_implementation_info', 'sql_languages',
>>>          'sql_packages', 'sql_sizing', 'sql_sizing_profiles')
>>>         union
>>>         select viewname,'V' from pg_views where viewname not like 
>>> 'pg\_%',[isoDates] => 1,[sysDate] => CURRENT_DATE,[sysTimeStamp] => 
>>> CURRENT_TIMESTAMP,[blobEncodeType] => C,[metaKeySQL] => SELECT 
>>> ic.relname AS index_name, a.attname AS column_name,i.indisunique AS 
>>> unique_key, i.indisprimary AS primary_key
>>>         FROM pg_class bc, pg_class ic, pg_index i, pg_attribute a 
>>> WHERE bc.oid = i.indrelid AND ic.oid = i.indexrelid AND (i.indkey[0] 
>>> = a.attnum OR i.indkey[1] = a.attnum OR i.indkey[2] = a.attnum OR 
>>> i.indkey[3] = a.attnum OR i.indkey[4] = a.attnum OR i.indkey[5] = 
>>> a.attnum OR i.indkey[6] = a.attnum OR i.indkey[7] = a.attnum) AND 
>>> a.attrelid = bc.oid AND bc.relname = '%s',[hasAffectedRows] => 
>>> 1,[true] => TRUE,[false] => FALSE,[fmtDate] => 
>>> 'Y-m-d',[fmtTimeStamp] => 'Y-m-d H:i:s',[hasMoveFirst] => 
>>> 1,[hasGenID] => 1,[_genIDSQL] => SELECT NEXTVAL('%s'),[_genSeqSQL] 
>>> => CREATE SEQUENCE %s START %s,[_dropSeqSQL] => DROP SEQUENCE 
>>> %s,[metaDefaultsSQL] => SELECT d.adnum as num, d.adsrc as def from 
>>> pg_attrdef d, pg_class c where d.adrelid=c.oid and c.relname='%s' 
>>> order by d.adnum,[random] => random(),[autoRollback] => 
>>> 1,[uniqueIisR] => 1,[_bindInputArray] => 1,[disableBlobs] => 
>>> ,[_pnum] => 0,[database] => snort,[host] => winids,[user] => 
>>> base,[password] => not stored,[debug] => ,[maxblobsize] => 
>>> 262144,[substr] => substr,[length] => length,[upperCase] => 
>>> upper,[replaceQuote] => \',[nameQuote] => ",[uniqueOrderBy] => 
>>> ,[emptyDate] =>  ,[emptyTimeStamp] => ,[lastInsID] => ,[hasTop] => 
>>> ,[readOnly] => ,[hasTransactions] => 1,[genID] => 0,[raiseErrorFn] 
>>> => ,[cacheSecs] => 3600,[memCache] => ,[memCacheHost] => 
>>> ,[memCachePort] => 11211,[memCacheCompress] => ,[sysUTimeStamp] => 
>>> ,[arrayClass] => ADORecordSet_array,[noNullStrings] => 
>>> ,[numCacheHits] => 0,[numCacheMisses] => 0,[pageExecuteCountRows] => 
>>> 1,[uniqueSort] => ,[leftOuter] => ,[rightOuter] => 
>>> ,[poorAffectedRows] => ,[fnExecute] => ,[fnCacheExecute] => 
>>> ,[rsPrefix] => ADORecordSet_,[autoCommit] => 1,[transOff] => 
>>> 0,[transCnt] => 0,[fetchMode] => ,[null2null] => null,[bulkBind] => 
>>> ,[_oldRaiseFn] => ,[_transOK] => ,[_connectionID] => Resource id 
>>> #48,[_errorMsg] => ,[_errorCode] => ,[_queryID] => 
>>> ,[_isPersistentConnection] => 1,[_evalAll] => ,[_affected] => 
>>> ,[_logsql] => ,[_transmode] => ,[version] => Array ([description] => 
>>> PostgreSQL 9.1.4, compiled by Visual C++ build 1500, 
>>> 32-bit,[version] => 9.1.4),[pgVersion] => 9.1,[_nestedSQL] => 
>>> 1),[DB_type] => postgres,[DB_name] => snort,[DB_host] => 
>>> winids,[DB_port] => ,[DB_username] => base,[lastSQL] => SELECT 
>>> data_payload FROM data WHERE sid='1' AND cid='2233',[version] => 
>>> 107,[sql_trace] => ), 2233,
>>> 1) called at [D:\winids\Apache24\htdocs\base\base_qry_alert.php:905]
>>>
>>>
>>> bool(false)
>>> ===============================================================
>>>
>>> Any ideas?
>>>
>>> Kindest Regards,
>>> Michael Steele
>>>
>>
>>






More information about the Snort-users mailing list