No subject


Thu Nov 23 16:36:19 EST 2017


2002-09-03  Roman Danyliw <roman at ...438...>

       * src/output-plugin/spo_database.c

         - DB schema v106
         - Added the sensor.last_cid field to the schema so the
           database can store the last used cid for a given sensor.
           This field will ensure that a cid will never be reused.

           Upgrading from v105 -> v106 is as simple as:

           mysql> ALTER TABLE sensor ADD last_cid INT UNSIGNED NOT NULL;
           mysql> UPDATE schema SET vseq=106;

            psql> ALTER TABLE sensor ADD last_cid INT8;
            psql> UPDATE schema SET vseq=106;


Addam


On Fri, 2002-10-04 at 15:14, Beckett, Josh wrote:
> Ok...I was excited by the announcement of 1.9 and went and did a dumb 
> thing...upgraded right on a production box.  I did my initial setup 
> using the doc from the snort website "Snort Installation Manual: 
> Snort, MySQL and ACID on RedHat 7.3" (great doc, btw).
> 
> Every thing went fine relative to the upgrade, etc.  Compiled fine, 
> used the new conf file and "current" rules set.  Snort seems to be 
> running fine, but doesn't seem to want to log to ACID-MySQL.  As a 
> troubleshooting measure, I set "log to file" on as well as log to db, 
> I can see alerts going into a file, but not the db.  I've even gone 
> and blown away the db's and re-set them up, using the steps outlined 
> in the paper.  Still no joy.
> 
> I've triple checked the snort.conf file for silly things, like bad 
> rules path, bad db password and user name and everything seems to be 
> fine...still no alerts in the db, but alerts pop up in the file.  I've

> even checked the configure.log to make sure that I compiled with the 
> --with-mysql switch...good there.
> 
> Any other places to check, where I might be having a problem?
> 
> Thanks,
> Josh
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

--Boundary_(ID_1YUXc9CjE8hYDyi4SUI7gw)
Content-type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Diso-8859-=
1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version 5.5.2655.35">
<TITLE>RE: [Snort-users] Snort 1.9, RH 7.3 and Acid</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2>Did you check your syslogs to see if Snort dumped any mes=
sages there?</FONT>
</P>

<P><FONT SIZE=3D2>Typically (under linux) they are /var/log/messages</FONT>
</P>

<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Beckett, Josh</FONT>
<BR><FONT SIZE=3D2>Cc: snort-users at lists.sourceforge.net</FONT>
<BR><FONT SIZE=3D2>Sent: 10/4/02 2:17 PM</FONT>
<BR><FONT SIZE=3D2>Subject: RE: [Snort-users] Snort 1.9, RH 7.3 and Acid</F=
ONT>
</P>

<P><FONT SIZE=3D2>From the 'create_mysql' script used to set up the db (as =
outlined in the</FONT>
<BR><FONT SIZE=3D2>paper) --</FONT>
<BR><FONT SIZE=3D2>***snip***</FONT>
<BR><FONT SIZE=3D2>#1.17</FONT>
<BR><FONT SIZE=3D2>CREATE TABLE schema ( vseq     =
   INT      UNSIGNED NOT NULL,</FONT>
<BR><FONT SIZE=3D2>         &n=
bsp;            ctim=
e       DATETIME NOT NULL,</FONT>
<BR><FONT SIZE=3D2>         &n=
bsp;            PRIM=
ARY KEY (vseq));</FONT>
<BR><FONT SIZE=3D2>INSERT INTO schema  (vseq, ctime) VALUES ('106', no=
w());</FONT>
<BR><FONT SIZE=3D2>***end snip***</FONT>
</P>

<P><FONT SIZE=3D2>Already at 1.06</FONT>
</P>

<P><FONT SIZE=3D2>J-</FONT>
</P>

<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Addam Schroll [<A HREF=3D"mailto:addam at ...301...">=
mailto:addam at ...301...</A>] </FONT>
<BR><FONT SIZE=3D2>Sent: Friday, October 04, 2002 2:12 PM</FONT>
<BR><FONT SIZE=3D2>To: Beckett, Josh</FONT>
<BR><FONT SIZE=3D2>Cc: snort-users at lists.sourceforge.net</FONT>
<BR><FONT SIZE=3D2>Subject: Re: [Snort-users] Snort 1.9, RH 7.3 and Acid</F=
ONT>
</P>
<BR>

<P><FONT SIZE=3D2>The Snort database schema was modified about a month ago =
in the 1.9</FONT>
<BR><FONT SIZE=3D2>branch.  The DB inserts may be failing when it atte=
mpts to mess with the</FONT>
<BR><FONT SIZE=3D2>new last_cid field.  Try upgrading your schema to v=
106.  That may solve</FONT>
<BR><FONT SIZE=3D2>your problem.  The instructions for upgrading follo=
w.</FONT>
</P>

<P><FONT SIZE=3D2>From the Changelog:</FONT>
</P>

<P><FONT SIZE=3D2>2002-09-03  Roman Danyliw <roman at ...438...></F=
ONT>
</P>

<P><FONT SIZE=3D2>       * src/output-plugin/=
spo_database.c</FONT>
</P>

<P><FONT SIZE=3D2>         - DB sch=
ema v106</FONT>
<BR><FONT SIZE=3D2>         - Added=
 the sensor.last_cid field to the schema so the</FONT>
<BR><FONT SIZE=3D2>         &n=
bsp; database can store the last used cid for a given sensor.</FONT>
<BR><FONT SIZE=3D2>         &n=
bsp; This field will ensure that a cid will never be reused.</FONT>
</P>

<P><FONT SIZE=3D2>         &nb=
sp; Upgrading from v105 -> v106 is as simple as:</FONT>
</P>

<P><FONT SIZE=3D2>         &nb=
sp; mysql> ALTER TABLE sensor ADD last_cid INT UNSIGNED NOT NULL;</FONT>
<BR><FONT SIZE=3D2>         &n=
bsp; mysql> UPDATE schema SET vseq=3D106;</FONT>
</P>

<P><FONT SIZE=3D2>         &nb=
sp;  psql> ALTER TABLE sensor ADD last_cid INT8;</FONT>
<BR><FONT SIZE=3D2>         &n=
bsp;  psql> UPDATE schema SET vseq=3D106;</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>Addam</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>On Fri, 2002-10-04 at 15:14, Beckett, Josh wrote:</FONT>
<BR><FONT SIZE=3D2>> Ok...I was excited by the announcement of 1.9 and w=
ent and did a dumb </FONT>
<BR><FONT SIZE=3D2>> thing...upgraded right on a production box.  I=
 did my initial setup </FONT>
<BR><FONT SIZE=3D2>> using the doc from the snort website "Snort In=
stallation Manual: </FONT>
<BR><FONT SIZE=3D2>> Snort, MySQL and ACID on RedHat 7.3" (great do=
c, btw).</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> Every thing went fine relative to the upgrade, etc.=
  Compiled fine, </FONT>
<BR><FONT SIZE=3D2>> used the new conf file and "current" rule=
s set.  Snort seems to be </FONT>
<BR><FONT SIZE=3D2>> running fine, but doesn't seem to want to log to AC=
ID-MySQL.  As a </FONT>
<BR><FONT SIZE=3D2>> troubleshooting measure, I set "log to file&qu=
ot; on as well as log to db, </FONT>
<BR><FONT SIZE=3D2>> I can see alerts going into a file, but not the db.=
  I've even gone </FONT>
<BR><FONT SIZE=3D2>> and blown away the db's and re-set them up, using t=
he steps outlined </FONT>
<BR><FONT SIZE=3D2>> in the paper.  Still no joy.</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> I've triple checked the snort.conf file for silly t=
hings, like bad </FONT>
<BR><FONT SIZE=3D2>> rules path, bad db password and user name and every=
thing seems to be </FONT>
<BR><FONT SIZE=3D2>> fine...still no alerts in the db, but alerts pop up=
 in the file.  I've</FONT>
</P>

<P><FONT SIZE=3D2>> even checked the configure.log to make sure that I c=
ompiled with the </FONT>
<BR><FONT SIZE=3D2>> --with-mysql switch...good there.</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> Any other places to check, where I might be having =
a problem?</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> Thanks,</FONT>
<BR><FONT SIZE=3D2>> Josh</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> ---------------------------------------------------=
----</FONT>
<BR><FONT SIZE=3D2>> This sf.net email is sponsored by:ThinkGeek</FONT>
<BR><FONT SIZE=3D2>> Welcome to geek heaven.</FONT>
<BR><FONT SIZE=3D2>> <A HREF=3D"http://thinkgeek.com/sf" TARGET=3D"_blan=
k">http://thinkgeek.com/sf</A> </FONT>
<BR><FONT SIZE=3D2>> _______________________________________________</FO=
NT>
<BR><FONT SIZE=3D2>> Snort-users mailing list</FONT>
<BR><FONT SIZE=3D2>> Snort-users at lists.sourceforge.net</FONT>
<BR><FONT SIZE=3D2>> Go to this URL to change user options or unsubscrib=
e: </FONT>
<BR><FONT SIZE=3D2>> <A HREF=3D"https://lists.sourceforge.net/lists/list=
info/snort-users" TARGET=3D"_blank">https://lists.sourceforge.net/lists/lis=
tinfo/snort-users</A></FONT>
<BR><FONT SIZE=3D2>> Snort-users list archive: <A HREF=3D"http://www.geo=
crawler.com/redir-sf.php3?list" TARGET=3D"_blank">http://www.geocrawler.com=
/redir-sf.php3?list</A></FONT>
</P>
<BR>
<BR>
<BR>

<P><FONT SIZE=3D2>-------------------------------------------------------</=
FONT>
<BR><FONT SIZE=3D2>This sf.net email is sponsored by:ThinkGeek</FONT>
<BR><FONT SIZE=3D2>Welcome to geek heaven.</FONT>
<BR><FONT SIZE=3D2><A HREF=3D"http://thinkgeek.com/sf" TARGET=3D"_blank">ht=
tp://thinkgeek.com/sf</A></FONT>
<BR><FONT SIZE=3D2>_______________________________________________</FONT>
<BR><FONT SIZE=3D2>Snort-users mailing list</FONT>
<BR><FONT SIZE=3D2>Snort-users at lists.sourceforge.net</FONT>
<BR><FONT SIZE=3D2>Go to this URL to change user options or unsubscribe:</F=
ONT>
<BR><FONT SIZE=3D2><A HREF=3D"https://lists.sourceforge.net/lists/listinfo/=
snort-users" TARGET=3D"_blank">https://lists.sourceforge.net/lists/listinfo=
/snort-users</A></FONT>
<BR><FONT SIZE=3D2>Snort-users list archive:</FONT>
<BR><FONT SIZE=3D2><A HREF=3D"http://www.geocrawler.com/redir-sf.php3?list=
=3Dsnort-users" TARGET=3D"_blank">http://www.geocrawler.com/redir-sf.php3?l=
ist=3Dsnort-users</A></FONT>
</P>

</BODY>
</HTML>=

--Boundary_(ID_1YUXc9CjE8hYDyi4SUI7gw)--




More information about the Snort-users mailing list