#54 Add support for managing last_cid

BASE 1.x
closed
Database (11)
8
2006-07-12
2006-07-10
ETJ
No

The last_cid field in the sensor table is needed to
avoid collisions between the running snort process and
pre-existing alerts in the database by providing a
starting point for snort. There is a "well-known" bug
in snort that keeps this from working properly. See:

http://www.snort.org/reg-bin/forums.cgi?forum_id=4&topic_id=1934

Some projects, such as FLoP (and my patch included
within that bug) fix this deficiency and last_cid
becomes important.

BASE, however, messes this up by creating an Archive
database which snort doesn't know anything about. As a
result, even with a proper database client, alerts can
get put into the current alert database that cannot be
archived because of cid collision.

I made two quick patches to base functions to properly
maintain the last_cid in the database so the snort can
use them.

The first patch, which is to base_action.inc.php,
ensures that when an alert is moved into the Archive
database via the copy or move function that the
last_cid field is updated in Archive database.

The second patch, which is to base_cache.inc.php,
ensures that the last_cid for the database is set to
the greater of the current database MAX(cid) or the
archive database MAX(cid). This ensures that even if
you delete all the alerts from the current database
that you'll get the max value from the archive
database. This second patch also makes sure that the
archive database isn't the currently selected database
before attempting this update.

The patches to BASE 1.2.5 are attached. Please
consider them for includion in a future BASE release.

Discussion

  • ETJ

    ETJ - 2006-07-10

    Patch to base_action.inc.php

     
  • Kevin Johnson

    Kevin Johnson - 2006-07-12

    Logged In: YES
    user_id=836228

    I am having troubles with the attached patch. Could you send them to me via
    email? kjohnson@secureideas.net I will apply them....

    Thanks
    Kevin

     
  • Kevin Johnson

    Kevin Johnson - 2006-07-12
    • priority: 5 --> 8
    • assigned_to: nobody --> secureideas
    • status: open --> closed
     
  • Nobody/Anonymous

    Logged In: NO

    Sent via separate cover.

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks