Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#54 Add support for managing last_cid

BASE 1.x
closed
Kevin Johnson
Database (11)
8
2006-07-12
2006-07-10
ETJ
No

The last_cid field in the sensor table is needed to
avoid collisions between the running snort process and
pre-existing alerts in the database by providing a
starting point for snort. There is a "well-known" bug
in snort that keeps this from working properly. See:

http://www.snort.org/reg-bin/forums.cgi?forum_id=4&topic_id=1934

Some projects, such as FLoP (and my patch included
within that bug) fix this deficiency and last_cid
becomes important.

BASE, however, messes this up by creating an Archive
database which snort doesn't know anything about. As a
result, even with a proper database client, alerts can
get put into the current alert database that cannot be
archived because of cid collision.

I made two quick patches to base functions to properly
maintain the last_cid in the database so the snort can
use them.

The first patch, which is to base_action.inc.php,
ensures that when an alert is moved into the Archive
database via the copy or move function that the
last_cid field is updated in Archive database.

The second patch, which is to base_cache.inc.php,
ensures that the last_cid for the database is set to
the greater of the current database MAX(cid) or the
archive database MAX(cid). This ensures that even if
you delete all the alerts from the current database
that you'll get the max value from the archive
database. This second patch also makes sure that the
archive database isn't the currently selected database
before attempting this update.

The patches to BASE 1.2.5 are attached. Please
consider them for includion in a future BASE release.

Discussion

  • ETJ
    ETJ
    2006-07-10

    Patch to base_action.inc.php

     
    Attachments
  • Kevin Johnson
    Kevin Johnson
    2006-07-12

    Logged In: YES
    user_id=836228

    I am having troubles with the attached patch. Could you send them to me via
    email? kjohnson@secureideas.net I will apply them....

    Thanks
    Kevin

     
  • Kevin Johnson
    Kevin Johnson
    2006-07-12

    • priority: 5 --> 8
    • assigned_to: nobody --> secureideas
    • status: open --> closed
     
  • Logged In: NO

    Sent via separate cover.