Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: MYSQL Error on Windows XP snort install

From: "Bright, Mark IT2" <mbrigh () lincoln navy mil>
Date: Tue, 2 Dec 2003 19:35:16 -0800
I don't have an account with Winsnort so I'm not quite sure what you mean by
master and slave sensors. I'm running a Win2k Professional box with MySQL
4.0.15 and ACID v0.9.6b23 (schema v106) as my central logging server. I have
5 sensors mostly on NT Server machines running Snort v2.0.5 successfully
logging to MySQL, 2 error'ing out with the same problem (Posted below). So
far I've tried to re-install Snort, upgrade it, use root as well as snort
users, checked and re-checked permissions, and checked and re-checked my
snort.conf file. I've found quite a few posts to the snort-users list
regarding this error but haven't seen a fix. I also e-mailed Mr. Danyliw and
I'm awaiting to hear his input. There have been some posts that point the
cause at the sensor name. If that's the case, I really don't know how to fix
it. I'm leaning in the direction of a permissions problem, but from what I
can tell, they look just fine, and my other sensors work great. Any help
would be greatly appreciated...

Here's my error:

Here's my snort.conf output line:
output database: log, mysql, user=snort dbname=snort host=205.60.5.35

Here's the error from Snort:

database: compiled support for ( mysql odbc )
database: configured to use mysql
database: database name = snort
database:          user = snort
database:          host = 205.60.5.35
database:   sensor name = CVN72UFS01:\
database: mysql_error: You have an error in your SQL syntax.  Check the
manual t
hat corresponds to your MySQL server version for the right syntax to use
near '\
' AND detail = '1' AND encoding = '0' AND filter IS NULL' at l
database: mysql_error: You have an error in your SQL syntax.  Check the
manual t
hat corresponds to your MySQL server version for the right syntax to use
near '\
','1','0', '0')' at line 1
SQL=INSERT INTO sensor (hostname, interface, detail, encoding, last_cid)
VALUES
('CVN72UFS01:\','\','1','0', '0')
database: mysql_error: You have an error in your SQL syntax.  Check the
manual t
hat corresponds to your MySQL server version for the right syntax to use
near '\
' AND detail = '1' AND encoding = '0' AND filter IS NULL' at l
database: Problem obtaining SENSOR ID (sid) from Snort->sensor
ERROR:
 When this plugin starts, a SELECT query is run to find the sensor id for
the
 currently running sensor. If the sensor id is not found, the plugin will
run
 an INSERT query to insert the proper data and generate a new sensor id.
Then a
 SELECT query is run to get the newly allocated sensor id. If that fails
then
 this error message is generated.

 Some possible causes for this error are:
  * the user does not have proper INSERT or SELECT privileges
  * the sensor table does not exist

 If you are _absolutely_ certain that you have the proper privileges set and
 that your database structure is built properly please let me know if you
 continue to get this error. You can contact me at (roman () danyliw com).

~Mark

-----Original Message-----
From: Michael Steele [mailto:michaels () winsnort com]
Sent: Tuesday, December 02, 2003 6:26 PM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] MYSQL Error on Windows XP snort install


Watch cloning them unless you change SID. You'll run into problems if they
are on the same network.

Looks like some of this message went private so it looks very strange.

I'm taking it that you are logging from a Master sensor to a Slave sensor
all on the same network.

Did you follow the guide for a Master sensor on the WINSNORT.com site?

Did you follow the guide for a Slave sensor on the WINSNORT.com site?

What sanity checks have you preformed to make sure that connectivity is
there between the master and slave?

Do you have working slaves on the Master but one or more fails after a stock
installation?

Cheers...

-The WINSNORT.com Management Team
-- 
 Pick up your FREE Windows or UNIX Snort installation guides       
 mailto:support () winsnort com
 Website: http://www.winsnort.com
 Snort: Open Source Network IDS - http://www.snort.org


-----Original Message-----
From: snort-users-admin () lists sourceforge net [mailto:snort-users-
admin () lists sourceforge net] On Behalf Of Bright, Mark IT2
Sent: Tuesday, December 02, 2003 4:48 PM
To: 'Tim'
Cc: 'snort-users () lists sourceforge net'
Subject: RE: [Snort-users] MYSQL Error on Windows XP snort install

No can do. They're production servers with different uses. I'm digging
through the Snort-Users archives and I'm finding a bunch of folks with
this
same error, all without a fix. How could an error with this kind of
documentation not been resolved yet? I'm willing to bet someone's figured
it
out, just hasn't spilled the beans yet. I'll keep ya' posted...

~Mark

-----Original Message-----
From: Tim [mailto:tim0707 () comcast net]
Sent: Tuesday, December 02, 2003 3:29 PM
To: Bright, Mark IT2
Subject: Re: [Snort-users] MYSQL Error on Windows XP snort install


Mark,

If that were me and I had 5 good and two bad, I would clone one of the
good
ones and change the name and IP (stuff like that).   That should work for
you.  I know that's the easy way out, but....

Later,
Tim
----- Original Message -----
From: "Bright, Mark IT2" <mbrigh () lincoln navy mil>
To: "'Tim'" <tim0707 () comcast net>
Sent: Tuesday, December 02, 2003 6:21 PM
Subject: RE: [Snort-users] MYSQL Error on Windows XP snort install



Tim,

I still haven't got it working yet. I have 5 sensors reporting just fine

but

2 keep error'ing out. I've obviously checked and rechecked the database
permissions time and time again. They look good to me. I tried using

root

rather than the snort user = failed. I tried re-installing Snort =

failed.
I

tried upgrading to the latest version of Snort = failed. I'm pretty

stuck,

man. I'm going to e-mail Roman again and see what happens. It usually

takes

him a few days to respond so I'll just keep diggin' 'til then. Thanks

for

the heads up on the website. Take it easy,

~Mark

-----Original Message-----
From: Tim [mailto:tim0707 () comcast net]
Sent: Monday, December 01, 2003 2:16 PM
To: Bright, Mark IT2
Subject: Re: [Snort-users] MYSQL Error on Windows XP snort install


Mark,

Check out www.winsnort.com.  They have some documentation that should

help.

I've looked it over, but haven't had a chance to try it out.  You have

to

create an account to get access to the docs.

The Lincoln, huh?  I just got out of the Navy 1 month ago.  I was

stationed

onboard the USS PORTER (DDG-78).  I thought you guys ran RealSecure

onboard

CVN's?

Let me know if you get it working.

Tim
----- Original Message -----
From: "Bright, Mark IT2" <mbrigh () lincoln navy mil>
To: "'Tim'" <tim0707 () comcast net>
Sent: Monday, December 01, 2003 11:02 AM
Subject: RE: [Snort-users] MYSQL Error on Windows XP snort install



I'm getting this same error on two of my sensors. I e-mailed Roman and

the

Snort list and still haven't heard a solution. If you get a fix for

this,

please post it to the list. I'm thinking about creating another user

and

assigning the appropriate permissions and seeing if that works. I'm

running

snort on NT Server and recording to a MySQL database on a remote Win2k
machine. Thanks for posting...

~Mark



-----Original Message-----
From: Tim [mailto:tim0707 () comcast net]
Sent: Friday, November 28, 2003 8:37 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] MYSQL Error on Windows XP snort install


I'm setting up a Windows XP box with snort, ACID and MYSQL. I've

gotten

everything running good, but when I go to run snort, I get the

following

error.


I'm running MYSQL version 4.0.16 and snort version 2.0.5.

I followed the instructions in

http://www.snort.org/docs/snort_acid_rh9.pdf

posted on the snort website to set up MYSQL.  Everything went alright

with

the MYSQL install.  I've checked all of the permissions on MYSQL and I

have

the right user and permissions there.   All of the tables and are

created.

I checked using the SHOW TABLES command.  If anyone has run into this
problem before, I would appreciate the help.

If you're wondering why I'm installing all of this on a Windows XP

box,

well...  just to pass the time, I guess... : )

Thanks,
Tim








-------------------------------------------------------
This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
http://www.wrgsurveys.com/2003/osdntech03.php?site=8
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
http://www.wrgsurveys.com/2003/osdntech03.php?site=8
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
http://www.wrgsurveys.com/2003/osdntech03.php?site=8
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: