Snort mailing list archives
RE: Problem with Snort 1.9.0 and PostgreSQL
From: "Semerjian, Ohanes" <Semerjian.Ohanes () wcom com au>
Date: Mon, 9 Dec 2002 14:15:11 +0800
I don't run postgres but I use Mysql, anyway u have the solution wright in front of u. ============================================================================ =============== Some possible causes for this error are: * the user does not have proper INSERT or SELECT privileges * the sensor table does not exist ============================================================================ ================ the above is part of the error message returned and basically I think u need to follow them both. 1. U need to create the snort database and import the tables 2. U need to grant the user account in ur case u used an account called " snort " privileges like INSERT, DELETE, UPDATE etc on the database " in ur case snort" try this first and then start the sensor then u'd be fine. Best Regards Ohanes Semerjian -----Original Message----- From: Johan Sunnerstig [mailto:Johan.Sunnerstig () netgiro com] Sent: Friday, 6 December 2002 5:30 PM To: Snort Users (E-mail) Subject: [Snort-users] Problem with Snort 1.9.0 and PostgreSQL I sent this mail earlier, unfortunately I had signed on to the list using the wrong address, so my mail got held, I don't know how long it will be before it reaches the list, if ever, so I'll send it again, sorry if you get two of these due to my clumsiness. ------------------------ Hi. Im trying to setup snort on a Linux box, with Postgres as the backend DB. I've setup the DB, with a user named "snort", and then I let that user create the snort database using the create_postgresql script that comes with Snort. However when I run Snort from the command line using the following command: "snort -c /etc/snort/snort.conf" it dies after trying to do initial DB configuration. I've attached the error message I get when running Snort to the bottom of this mail. I found a few posts in mailinglist archives relating to a bug in the PostgreSQL module in Snort 1.9.0, and there was a suggested fix, inserting the sensor info into the sensor table manually. I tried this as described in that post, by doing INSERT INTO sensor (sid, hostname, last_cid) VALUES (1, 'westmalle', 1); , to no avail, I still get the same error. The only change I've made to the snort.conf file is uncommenting and modifying the output to output to Postgres, as follows: output database: log, postgresql, dbname=snort user=snort port=5432 Anyone got any ideas? System specs: Compaq Proliant ML350 RedHat Linux 8.0 Snort 1.9.0 /w postgresql support(installed the 1.9.0 RPM and the Postgres support RPM on the snort site) PostgreSQL 7.2.2 Any input would be greatly sppreciated. Johan Log stuff below here ------------------------------------------------------------------------ [root@westmalle root]# snort -c /etc/snort/snort.conf Initializing Output Plugins! Log directory = /var/log/snort Initializing Network Interface eth0 --== Initializing Snort ==-- Decoding Ethernet on interface eth0 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 No arguments to stream4_reassemble, setting defaults: Reassemble client: ACTIVE Reassemble server: INACTIVE Reassemble ports: 21 23 25 53 80 143 110 111 513 Reassembly alerts: ACTIVE Reassembly method: FAVOR_OLD http_decode arguments: Unicode decoding IIS alternate Unicode decoding IIS double encoding vuln Flip backslash to slash Include additional whitespace separators Ports to decode http on: 80 rpc_decode arguments: Ports to decode RPC on: 111 32771 telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 Conversation Config: KeepStats: 0 Conv Count: 32000 Timeout : 60 Alert Odd?: 0 Allowed IP Protocols: All Portscan2 config: log: /var/log/snort/scan.log scanners_max: 3200 targets_max: 5000 target_limit: 5 port_limit: 20 timeout: 60 database: compiled support for ( postgresql ) database: configured to use postgresql database: database name = snort database: user = snort database: sensor name = 172.22.3.71 database: postgresql_error: ERROR: ExecAppend: Fail to add null value in not null attribute last_cid database: Problem obtaining SENSOR ID (sid) from snort->sensor When this plugin starts, a SELECT query is run to find the sensor id for the currently running sensor. If the sensor id is not found, the plugin will run an INSERT query to insert the proper data and generate a new sensor id. Then a SELECT query is run to get the newly allocated sensor id. If that fails then this error message is generated. Some possible causes for this error are: * the user does not have proper INSERT or SELECT privileges * the sensor table does not exist If you are _absolutely_ certain that you have the proper privileges set and that your database structure is built properly please let me know if you continue to get this error. You can contact me at (roman () danyliw com). Fatal Error, Quitting.. ____________________________________________________________________________ _____ How many Microsoft engineers are needed to screw a light bulb ?? None. Microsoft declares darkness the standard. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problem with Snort 1.9.0 and PostgreSQL Johan Sunnerstig (Dec 05)
- <Possible follow-ups>
- RE: Problem with Snort 1.9.0 and PostgreSQL Semerjian, Ohanes (Dec 08)
- RE: Problem with Snort 1.9.0 and PostgreSQL m0use (Dec 09)
- RE: Problem with Snort 1.9.0 and PostgreSQL Demetri Mouratis (Dec 09)
- RE: Problem with Snort 1.9.0 and PostgreSQL m0use (Dec 09)
- RE: Problem with Snort 1.9.0 and PostgreSQL Erek Adams (Dec 09)
- RE: Problem with Snort 1.9.0 and PostgreSQL m0use (Dec 09)
- RE: Problem with Snort 1.9.0 and PostgreSQL Demetri Mouratis (Dec 09)
- RE: Problem with Snort 1.9.0 and PostgreSQL m0use (Dec 09)
- RE: Problem with Snort 1.9.0 and PostgreSQL m0use (Dec 09)
- RE: Problem with Snort 1.9.0 and PostgreSQL m0use (Dec 09)
- RE: Problem with Snort 1.9.0 and PostgreSQL m0use (Dec 09)