Techn4b’s Blog

April 23, 2009

Snort – no sensor

Filed under: Linux — Tags: , , , , , , — techn4b @ 12:06

Problem: No sensor after fresh snort installation

Environment: snort 2.8.4, SuSE Linux 10.3 with SuHosin, base-1.4.1, adodb508, mysql 5.0.67

Codehack found at snort.org:

snortml@iotti.biz wrote:
> I’m having exactly the same problem: fresh 2.8.4 install with mysql output:
> sensor table never gets inserted a row.
>
> I think I have found the problem and produced a simple patch but please,
> revise it: I’m not a coder, and have no particular experience with snort. So
> I’m not sure my patch can not have some side-effecs.
>
> That said, the problem seems to be in Select() in
> src/output-plugins/spo_database.c , in the portion of the function used with
> the mysql db (I did not examine other dbs’ code).
> This function makes a SQL SELECT and, upon success, returns the fetched
> value converted to integer. When it encounters an error, returns 0.
> But, as a special case, when the query was successfull but did not yeld any
> row, it returns 1. There is no distinction whether the “1” returned was
> because the value “1” was fetched from the DB, or simply the DB did not
> return any row.
> As a consequence, when this code is executed:
>
> data->shared->sid = Select(select_sensor_id,data);
> if(data->shared->sid == 0)
> {
> Insert(insert_into_sensor,data);
>
> the Select() returns 1, and the Insert() is never done.
> So the sensor table remains empty.
>
> My patch is just as simple as:

 # diff -ubB spo_database.c.orig spo_database.c
 --- spo_database.c.orig      2009-04-13 16:03:49.000000000 +0200
 +++ spo_database.c   2009-04-13 15:59:53.000000000 +0200
 @@ -2798,6 +2798,14 @@
                      {
                          result = atoi(data->m_row[0]);
                      }
                    else
                    {
                        result = 0;
                    }
                }
                else
                {
                    result = 0;
                  }
              }
              mysql_free_result(data->m_result);

> I simply return 0 (false) if the query was technically successfull, but no
> result was found.
>
> As I said, I would like some expert to revise the patch, since I don’t know
> if in ALL SITUATIONS it is right to return 0 (just like there was an error)
> when we have no value returned. I’m just sure it’s better to return 0 than
> 1.
>
> Cheers
> Luigi

Comment:

Modify src/output-plugins/spo_database.c as described above, re-compile, make, make install worked fine for me. Thx Luigi

*** RS

Advertisements

Create a free website or blog at WordPress.com.