There was 1 issue I ran into using snort 2.4.3 if logging to mysql.
All the timestamp values for the entries in mysql get set to
0000-00-00 00:00:00, which is the default value defined for the
column. I tracked this down to the format of the insert statement
being used to log the event to mysql:
INSERT INTO event(sid,cid,signature,timestamp) VALUES
('1','164','8','2005-12-23 22:37:16.257698037');
mySql only supports storing date/time information to the precision of
1 second. This is attempting to send the time to the precision of
1/1000000000 second. When a value is inserted where the precisiion is
greater than 1/100000 second, the value fails and the default defined
for the column is used (which in this case is 0000-00-00 00:00:00).
The insert succeeds, but the event time is not recorded.
I am working with the snort people to fix this problem, and it may
even be fixed in the snapshot you are using.
Here is a diff of spo_database.c that can be used to correct this problem:
# diff -u -p
/home/agrams/packages/snort-2.4.3/src/output-plugins/spo_database.c
/home/agrams/packages/snort-2.4.3_mod/src/output-plugins/spo_database.c
--- /home/xxx/packages/snort-2.4.3/src/output-plugins/spo_database.c
Fri Sep 23 16:58:10 2005
+++ /home/xxx/packages/snort-2.4.3_mod/src/output-plugins/spo_database.c
Fri Dec 23 23:09:14 2005
@@ -1005,6 +1005,27 @@ void Database(Packet *p, char *msg, void
}
}
#endif
+/* Added by Axton Grams on 12/23/2005 to fix the millisecond problem
+ * with mySQL event date/time.
+*/
+#ifdef ENABLE_MYSQL
+ if (data->shared->dbtype_id == DB_MYSQL)
+ {
+ /* Oracle (everything before 9i) does not support
+ * date information smaller than 1 second.
+ * To go along with the TO_DATE() Oracle function
+ * below, this was written to strip out all the
+ * excess information. (everything beyond a second)
+ * Use the Oracle format of:
+ * "1998-01-25 23:59:59"
+ */
+ if ( timestamp_string!=NULL && strlen(timestamp_string)>20 )
+ {
+ timestamp_string[19] = '\0';
+ }
+ }
+#endif
+
#ifdef ENABLE_ODBC
if (data->shared->dbtype_id == DB_ODBC)
{
Axton
On 1/5/06, Brad <[EMAIL PROTECTED]> wrote:
> Thanks, the workaround has been commited.
>
>
> On Thu, Jan 05, 2006 at 11:06:13PM -0500, Axton wrote:
> > The diff provided by Brad resolves the problem. I was able to
> > successfully perform an nmap scan against an hme iface without
> > receiving a bus error. Tried this with the default rules provided
> > with the package install; which is where I originally received the bus
> > error.
> >
> > *** From the compiler:
> > ===> Installing snort-2.3.3p1 from
> > /usr/ports/packages/sparc64/all/snort-2.3.3p1.tgz
> > snort-2.3.3p1: complete
> > --- snort-2.3.3p1 -------------------
> > The Snort rule examples have been installed in
> > /usr/local/share/examples/snort
> >
> > *** From the snort alert log:
> > [**] [1:469:4] ICMP PING NMAP [**]
> > [Classification: Attempted Information Leak] [Priority: 2]
> > a/b-c:d:e.f g.h.i.j -> k.l.m.n
> > ICMP TTL:23 TOS:0x0 ID:42353 IpLen:20 DgmLen:28
> > Type:8 Code:0 ID:25454 Seq:52265 ECHO
> > [Xref => http://www.whitehats.com/info/IDS162]
> >
> > The same should also work for 2.4.3 as well. I compiled this from
> > source from snort.org and have been running with the latest rules
> > without a problem since I first reported this issue.
> >
> > Axton
> >
> >
> > On 1/4/06, David Krause <[EMAIL PROTECTED]> wrote:
> > > Did this resolve the problem? I'm looking at updating it to 2.4.3 but
> > > want to see about this first.
> > >
> > > David
> > >
> > > * Brad <[EMAIL PROTECTED]> [051224 10:41]:
> > > > The only interesting thing that --enable-64bit-gcc flag does is
> > > > disable optimization. Can you try the following diff with the
> > > > snort port and let me know if it now works for you as expected?
> > > >
> > > > Index: Makefile
> > > > ===================================================================
> > > > RCS file: /cvs/ports/net/snort/Makefile,v
> > > > retrieving revision 1.37
> > > > diff -u -p -r1.37 Makefile
> > > > --- Makefile 4 Nov 2005 16:20:42 -0000 1.37
> > > > +++ Makefile 24 Dec 2005 16:31:55 -0000
> > > > @@ -3,7 +3,7 @@
> > > > COMMENT= "highly flexible sniffer/NIDS"
> > > >
> > > > DISTNAME= snort-2.3.3
> > > > -PKGNAME= ${DISTNAME}p0
> > > > +PKGNAME= ${DISTNAME}p1
> > > > CATEGORIES= net security
> > > > MASTER_SITES= ${HOMEPAGE}/dl/current/
> > > >
> > > > @@ -20,6 +20,10 @@ SEPARATE_BUILD= concurrent
> > > > CONFIGURE_STYLE= gnu
> > > >
> > > > LIB_DEPENDS= pcre::devel/pcre
> > > > +
> > > > +.if ${MACHINE_ARCH} == "sparc64"
> > > > +CFLAGS= -O0
> > > > +.endif
> > > >
> > > > FLAVORS= postgresql mysql smbalert flexresp
> > > > FLAVOR?=
> > > >
> > > >
> > > > On Fri, Dec 23, 2005 at 11:18:49PM -0500, Axton wrote:
> > > > > Using snort-2.3.3p0.tgz (current) included in the 3.8 packages for
> > > > > sparc64. This package is not compiled properly to support a 64-bit
> > > > > processor.
> > > > >
> > > > > With the current configuration options, a bus error is generated and
> > > > > snort core dumps when a port scan is issued against the host while
> > > > > snort is running.
> > > > >
> > > > > Steps to reproduce:
> > > > > - Install snort package:
> > > > > > # pkg_add snort-2.3.3p0.tgz
> > > > > - Start snort
> > > > > > # snort -i hme0
> > > > > - Issue an nmap scan against the host running snort:
> > > > > > # nmap -sS -sV -v -O -P0 x.x.x.x
> > > > >
> > > > > The console will then show "bus error" and snort dies.
> > > > >
> > > > > Compiling snort with these options resolves the problem:
> > > > >
> > > > > --enable-64bit-gcc \
> > > > > --with-mysql \
> > > > > --prefix=/usr/local \
> > > > > --build=sparc64
> > > > >
> > > > >
> > > > > Relevant System Information:
> > > > >
> > > > > # sysctl -n kern.version
> > > > > OpenBSD 3.8 (GENERIC) #607: Sat Sep 10 16:03:59 MDT 2005
> > > > > [EMAIL PROTECTED]:/usr/src/sys/arch/sparc64/compile/GENERIC
> > > > >
> > > > >
> > > > > # dmesg
> > > > > OpenBSD 3.8 (GENERIC) #607: Sat Sep 10 16:03:59 MDT 2005
> > > > > [EMAIL PROTECTED]:/usr/src/sys/arch/sparc64/compile/GENERIC
> > > > > total memory = 805306368
> > > > > avail memory = 723271680
> > > > > using 4915 buffers containing 40263680 bytes of memory
> > > > > bootpath: /[EMAIL PROTECTED],0/[EMAIL PROTECTED],0/[EMAIL PROTECTED],0
> > > > > mainbus0 (root): Sun Blade 100 (UltraSPARC-IIe)
> > > > > cpu0 at mainbus0: SUNW,UltraSPARC-IIe @ 502 MHz, version 0 FPU
> > > > > cpu0: physical 32K instruction (32 b/l), 16K data (32 b/l), 1024K
> > > > > external (64 b/l)
> > > > > psycho0 at mainbus0
> > > > > pci108e,a001: impl 0, version 0: ign 7c0 bus range 0 to 2; PCI bus 0
> > > > > DVMA map: c0000000 to e0000000
> > > > > IOTDB: 3a60000 to 3ae0000
> > > > > pci0 at psycho0
> > > > > ebus0 at pci0 dev 12 function 0 "Sun PCIO Ebus2 (US III)" rev 0x01
> > > > > flashprom at ebus0 addr 0-fffff not configured
> > > > > clock1 at ebus0 addr 0-1fff: mk48t59: hostid 8304b21d
> > > > > ebus_attach: idprom: incomplete
> > > > > gem0 at pci0 dev 12 function 1 "Sun ERI Ether" rev 0x01: ivec 3006,
> > > > > address 00:03:ba:04:b2:1d
> > > > > ukphy0 at gem0 phy 1: Generic IEEE 802.3u media interface
> > > > > ukphy0: OUI 0x0010dd, model 0x0002, rev. 1
> > > > > "Sun FireWire" rev 0x01 at pci0 dev 12 function 2 not configured
> > > > > ohci0 at pci0 dev 12 function 3 "Sun USB" rev 0x01: ivec 24, version
> > > > > 1.0, legacy support
> > > > > usb0 at ohci0: USB revision 1.0
> > > > > uhub0 at usb0
> > > > > uhub0: Sun OHCI root hub, rev 1.00/1.00, addr 1
> > > > > uhub0: 4 ports with 4 removable, self powered
> > > > > ebus1 at pci0 dev 7 function 0 "Acer Labs M1533 ISA" rev 0x00
> > > > > dma at ebus1 addr 0-ffff ipl 42 not configured
> > > > > power at ebus1 addr 800-82f ipl 32 not configured
> > > > > com0 at ebus1 addr 3f8-3ff ipl 43: ns16550a, 16 byte fifo
> > > > > com1 at ebus1 addr 2e8-2ef ipl 43: ns16550a, 16 byte fifo
> > > > > "Acer Labs M7101 Power" rev 0x00 at pci0 dev 3 function 0 not
> > > > > configured
> > > > > autri0 at pci0 dev 8 function 0 "Acer Labs M5451 Audio" rev 0x01:
> > > > > ivec 23
> > > > > ac97: codec id 0x41445348 (Analog Devices AD1881A)
> > > > > ac97: codec features headphone, Analog Devices Phat Stereo
> > > > > audio0 at autri0
> > > > > midi0 at autri0: <4DWAVE MIDI UART>
> > > > > pciide0 at pci0 dev 13 function 0 "Acer Labs M5229 UDMA IDE" rev 0xc3:
> > > > > DMA, channel 0 configured to native-PCI, channel 1 configured to
> > > > > native-PCI
> > > > > pciide0: using ivec 180c for native-PCI interrupt
> > > > > wd0 at pciide0 channel 0 drive 0: <MAXTOR 6L080L4>
> > > > > wd0: 16-sector PIO, LBA, 76345MB, 156355584 sectors
> > > > > atapiscsi0 at pciide0 channel 0 drive 1
> > > > > scsibus0 at atapiscsi0: 2 targets
> > > > > cd0 at scsibus0 targ 0 lun 0: <LITEON, CD-ROM LTN486S, YSU1> SCSI0
> > > > > 5/cdrom removable
> > > > > wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
> > > > > cd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2
> > > > > pciide0: channel 1 disabled (no drives)
> > > > > ppb0 at pci0 dev 5 function 0 "DEC 21152 PCI-PCI" rev 0x03
> > > > > pci1 at ppb0 bus 1
> > > > > ppb1 at pci1 dev 1 function 0 "DEC 21153 PCI-PCI" rev 0x04
> > > > > pci2 at ppb1 bus 2
> > > > > "Sun PCIO Ebus2" rev 0x01 at pci2 dev 0 function 0 not configured
> > > > > hme0 at pci2 dev 0 function 1 "Sun HME" rev 0x01: address
> > > > > 08:00:20:ca:7d:c4
> > > > > luphy0 at hme0 phy 1: LU6612 10/100 PHY, rev. 1
> > > > > hme0: using ivec 301b for interrupt
> > > > > "Sun PCIO Ebus2" rev 0x01 at pci2 dev 1 function 0 not configured
> > > > > hme1 at pci2 dev 1 function 1 "Sun HME" rev 0x01: address
> > > > > 08:00:20:ca:7d:c5
> > > > > luphy1 at hme1 phy 1: LU6612 10/100 PHY, rev. 1
> > > > > hme1: using ivec 300b for interrupt
> > > > > "Sun PCIO Ebus2" rev 0x01 at pci2 dev 2 function 0 not configured
> > > > > hme2 at pci2 dev 2 function 1 "Sun HME" rev 0x01: address
> > > > > 08:00:20:ca:7d:c6
> > > > > luphy2 at hme2 phy 1: LU6612 10/100 PHY, rev. 1
> > > > > hme2: using ivec 301a for interrupt
> > > > > "Sun PCIO Ebus2" rev 0x01 at pci2 dev 3 function 0 not configured
> > > > > hme3 at pci2 dev 3 function 1 "Sun HME" rev 0x01: address
> > > > > 08:00:20:ca:7d:c7
> > > > > luphy3 at hme3 phy 1: LU6612 10/100 PHY, rev. 1
> > > > > hme3: using ivec 300a for interrupt
> > > > > vgafb0 at pci0 dev 19 function 0 "ATI Rage XL" rev 0x27
> > > > > wsdisplay0 at vgafb0: console (std, sun emulation)
> > > > > pcons at mainbus0 not configured
> > > > > No counter-timer -- using %tick at 502MHz as system clock.
> > > > > uhidev0 at uhub0 port 4 configuration 1 interface 0
> > > > > uhidev0: Sun Microsystems Type 6 Keyboard, rev 1.00/1.02, addr 2,
> > > > > iclass 3/1
> > > > > ukbd0 at uhidev0: 8 modifier keys, 6 key codes
> > > > > wskbd0 at ukbd0: console keyboard, using wsdisplay0
> > > > > root on wd0a
> > > > > rootdev=0xc00 rrootdev=0x1a00 rawdev=0x1a02
> > > > >
> > > > >
> > > > > Axton Grams
> > > > >
> > >
> >
>
