Snort mailing list archives

Re: MYSQL Error on Windows XP snort install

From: Jim Brown <jpb () sixshooter v6 thrupoint net>
Date: Tue, 2 Dec 2003 23:12:39 -0500

* Bright, Mark IT2 <mbrigh () lincoln navy mil> [2003-12-02 22:38]:

I don't have an account with Winsnort so I'm not quite sure what you mean by
master and slave sensors. I'm running a Win2k Professional box with MySQL
4.0.15 and ACID v0.9.6b23 (schema v106) as my central logging server. I have
5 sensors mostly on NT Server machines running Snort v2.0.5 successfully
logging to MySQL, 2 error'ing out with the same problem (Posted below). So
far I've tried to re-install Snort, upgrade it, use root as well as snort
users, checked and re-checked permissions, and checked and re-checked my
snort.conf file. I've found quite a few posts to the snort-users list
regarding this error but haven't seen a fix. I also e-mailed Mr. Danyliw and
I'm awaiting to hear his input. There have been some posts that point the
cause at the sensor name. If that's the case, I really don't know how to fix
it. I'm leaning in the direction of a permissions problem, but from what I
can tell, they look just fine, and my other sensors work great. Any help
would be greatly appreciated...

Here's my error:

Here's my snort.conf output line:
output database: log, mysql, user=snort dbname=snort host=205.60.5.35

Here's the error from Snort:

database: compiled support for ( mysql odbc )
database: configured to use mysql
database: database name = snort
database:          user = snort
database:          host = 205.60.5.35
database:   sensor name = CVN72UFS01:\
database: mysql_error: You have an error in your SQL syntax.  Check the
manual t
hat corresponds to your MySQL server version for the right syntax to use
near '\
' AND detail = '1' AND encoding = '0' AND filter IS NULL' at l
database: mysql_error: You have an error in your SQL syntax.  Check the
manual t
hat corresponds to your MySQL server version for the right syntax to use
near '\
','1','0', '0')' at line 1
SQL=INSERT INTO sensor (hostname, interface, detail, encoding, last_cid)
VALUES
('CVN72UFS01:\','\','1','0', '0')
database: mysql_error: You have an error in your SQL syntax.  Check the
manual t
hat corresponds to your MySQL server version for the right syntax to use
near '\
' AND detail = '1' AND encoding = '0' AND filter IS NULL' at l
database: Problem obtaining SENSOR ID (sid) from Snort->sensor
ERROR:
 When this plugin starts, a SELECT query is run to find the sensor id for
the
 currently running sensor. If the sensor id is not found, the plugin will
run
 an INSERT query to insert the proper data and generate a new sensor id.
Then a
 SELECT query is run to get the newly allocated sensor id. If that fails
then
 this error message is generated.

 Some possible causes for this error are:
  * the user does not have proper INSERT or SELECT privileges
  * the sensor table does not exist

 If you are _absolutely_ certain that you have the proper privileges set and
 that your database structure is built properly please let me know if you
 continue to get this error. You can contact me at (roman () danyliw com).

~Mark




Disclaimer- I don't run ACID and never have.  So what I'm about
to say could be a total crock of, uh, stuff. I do know a fair
amount of SQL however.

I'm looking at the line:

  SQL=INSERT INTO sensor (hostname, interface, detail, encoding, last_cid)
  VALUES
  ('CVN72UFS01:\','\','1','0', '0')
               ^^
      
and what I see is an escaped single quote which is very likely
throwing the SQL parser off.  Try either a double backslash or 
renaming without the single backslash- i.e.

 ('CVN72UFS01:\\','\','1','0', '0')

or

 ('CVN72UFS01:','\','1','0', '0')



In fact, you should be able to test this directly in the MySQL 
monitor.

If you get a similar error on the next escaped backslash
try:

 ('CVN72UFS01:\\','\\','1','0', '0')



Best Regards,
jpb
===



-------------------------------------------------------
This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
http://www.wrgsurveys.com/2003/osdntech03.php?site=8
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: MYSQL Error on Windows XP snort install Bright, Mark IT2 (Dec 02)
- RE: MYSQL Error on Windows XP snort install Michael Steele (Dec 02)
  - Re: MYSQL Error on Windows XP snort install Tim (Dec 02)
    - RE: MYSQL Error on Windows XP snort install Michael Steele (Dec 03)
    - RE: MYSQL Error on Windows XP snort install Michael Steele (Dec 03)
- <Possible follow-ups>
- RE: MYSQL Error on Windows XP snort install Bright, Mark IT2 (Dec 02)
  - Re: MYSQL Error on Windows XP snort install Jim Brown (Dec 02)
    - RE: MYSQL Error on Windows XP snort install Michael Steele (Dec 03)
- RE: MYSQL Error on Windows XP snort install Bright, Mark IT2 (Dec 02)
- RE: MYSQL Error on Windows XP snort install Jacob Roberts (Dec 03)
- RE: MYSQL Error on Windows XP snort install snortmail (Dec 03)
- RE: MYSQL Error on Windows XP snort install Bright, Mark IT2 (Dec 03)