[Snort-users] RE: [Snort-devel] Snort with Oracle DB

permalink · #1 (**permalink**) 01-18-2005

This is a multi-part message in MIME format.

------_=_NextPart_001_01C4FD79.D3C02F50
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

ALL,
=20
This error can be resolved by making the following changes to the
src/output-plugins/spo_database.c file in the Snort Source Code. =20
=20
This error was discovered by John Evans and I at our work location.
=20
This is an Oracle Specific error and needs to be added to the Snort
Source Code in order to fix the error. After these changes are made,
Snort needs to be recomplied.
=20
# diff spo_database.c spo_new.c
1622c1622
< "VALUES ('%u','%u','%s",
---
> "VALUES
('%u','%u',utl_raw.cast_to_raw('%s",
1626c1626
< strcat(query->val, "')");
---
> strcat(query->val, "'))");
=20
Joel
=20
=20

-----Original Message-----
From: snort-devel-admin@lists.sourceforge.net
[mailto:snort-devel-admin@lists.sourceforge.net] On Behalf Of Prestwich,
Carl L
Sent: Thursday, January 13, 2005 6:27 PM
To: snort-devel@lists.sourceforge.net
Subject: [Snort-devel] Snort with Oracle DB

All,=20
We have setup Snort to write directly to an Oracle database. About
a dozen times a day we receive the following error:

database: oracle_error: ORA-01704: string literal too long=20

Has anyone successfully changed snort to solve this issue. The insert
is failing for table data, field data_payload which has a datatype of
blob.

Thanks,
Carl=20

------_=_NextPart_001_01C4FD79.D3C02F50
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<TITLE>Message</TITLE>

<META content=3D"MSHTML 6.00.2800.1479" name=3DGENERATOR></HEAD>
<BODY>
<DIV><SPAN class=3D251531816-18012005><FONT face=3DArial color=3D#0000ff =

size=3D2>ALL,</FONT></SPAN></DIV>
<DIV><SPAN class=3D251531816-18012005><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251531816-18012005><FONT face=3DArial color=3D#0000ff =
size=3D2>This=20
error can be resolved by making the following changes to the=20
src/output-plugins/spo_database.c file in the Snort Source Code. =20
</FONT></SPAN></DIV>
<DIV><SPAN class=3D251531816-18012005><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251531816-18012005><FONT face=3DArial color=3D#0000ff =
size=3D2>This=20
error was discovered by John Evans and I at our work=20
location.</FONT></SPAN></DIV>
<DIV><SPAN class=3D251531816-18012005><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251531816-18012005><FONT face=3DArial color=3D#0000ff =
size=3D2>This=20
is an Oracle Specific error and needs to be added to the Snort Source =
Code in=20
order to fix the error.  After these changes are made, Snort needs =
to be=20
recomplied.</FONT></SPAN></DIV>
<DIV><SPAN class=3D251531816-18012005><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251531816-18012005>
<DIV><SPAN class=3D680220413-18012005><FONT face=3DArial color=3D#0000ff =
size=3D2># diff=20
spo_database.c=20
spo_new.c<BR>1622c1622<BR><   &n bsp;   &=
nbsp;       &nb sp;   &n=
bsp;       &nbs p;=20
"VALUES=20
('%u','%u','%s",<BR>---<BR>>        =
        &n bsp;   &=
nbsp;       &nb sp;=20
"VALUES=20
('%u','%u',utl_raw.cast_to_raw('%s",<BR>1626c1626< BR><  &nbs=
p;            &nbsp=
;     =20
strcat(query->val,=20
"')");<BR>---<BR>>         &nbs=
p;            =20
strcat(query->val, "'))");</FONT></SPAN></DIV>
<DIV><SPAN class=3D680220413-18012005><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D680220413-18012005><FONT face=3DArial color=3D#0000ff =

size=3D2>Joel</FONT></SPAN></DIV>
<DIV><SPAN class=3D680220413-18012005><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D680220413-18012005><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN> </DIV></SPAN></DIV>
<BLOCKQUOTE style=3D"MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr =
align=3Dleft><FONT=20
face=3DTahoma size=3D2>-----Original Message-----<BR><B>From:</B>=20
snort-devel-admin@lists.sourceforge.net=20
[mailto:snort-devel-admin@lists.sourceforge.net] <B>On Behalf Of=20
</B>Prestwich, Carl L<BR><B>Sent:</B> Thursday, January 13, 2005 6:27=20
PM<BR><B>To:</B> snort-devel@lists.sourceforge.net<BR><B>Subject:</B>=20
[Snort-devel] Snort with Oracle DB<BR><BR></FONT></DIV>
<P><FONT face=3DArial size=3D2>All,</FONT> <BR><FONT face=3DArial=20
size=3D2>      We have setup Snort to write =
directly to=20
an Oracle database. About a dozen times a day we receive the following =

error:</FONT></P>
<P><FONT face=3D"Courier New" size=3D2>database: oracle_error: =
ORA-01704: string=20
literal too long</FONT> </P>
<P><FONT face=3D"Courier New" size=3D2>  </FONT> <FONT =
face=3DArial=20
size=3D2>Has anyone successfully changed snort to solve this issue. =
The insert=20
is failing for table data, field data_payload which has a datatype of=20
blob.</FONT></P>
<P><FONT face=3DArial size=3D2>Thanks,<BR>Carl</FONT>=20
</P><BR><BR></BLOCKQUOTE></BODY></HTML>

------_=_NextPart_001_01C4FD79.D3C02F50--

-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode