ossec-hids icon indicating copy to clipboard operation
ossec-hids copied to clipboard
verified publisher icon ossec

dbd/mysql output module and NULL's

Open AdUser opened this issue 3 years ago • 0 comments

Found an issue with dbd/mysql output modules for alerts. Sample row from alert table:

*************************** 1240. row ***************************
         id: 10696367
  server_id: 1
    rule_id: 1002
      level: 2
  timestamp: 1642404508
location_id: 30
     src_ip: (null) <- it's actually string, not true sql NULL
     dst_ip: (null)  <- same here
   src_port: 0
   dst_port: 0
    alertid: 1642404505.960511
       user: (null)  <- same here

Source of problem in src/os_dbd/alert.c near line 170: if al_data->srcip is actually NULL pointer, sprintf placeholder '%s' generates string "('null')" instead proper SQL's NULL. The similar code for postgres (see line 179 and below in this file) handles this case correct: al_data->srcip != NULL ? al_data->srcip : "NULL". The same for other NULLable fields (src_port, dst_ip, dst_port, alertid, level).

Please fix.

AdUser avatar Jan 17 '22 08:01 AdUser