RE: MYSQL Error on Windows XP snort install

["snortmail" <snortmail () eloqua com>]

I'm on a Win2K Box - and experiencing the same issues with mySQL - I've also run snort to log to a MSSQL under the 
exact conditions and it goes through fine...the correspondence below is from the beginning of last month.  Changing the 
sensor name does not fix the problem - there continues to be an issue with the interface name - it's just that the 
sensor name was hitting an error first.  If anyone has further insight into this issue - it would be appreciated.   
I've been struggling to find any help because most people think that I'm not configuring my permissions properly.  This 
is the first time in awhile that so many people are having the same concern - please forward your issues to Roman - as 
I have no choice but to stay on a Windows platform and therefore can't modify the snort executable.

Thanks,

- Mike


-----Original Message-----
From: Mike Couch 
Sent: Thursday, November 13, 2003 1:37 PM
To: 'roman () danyliw com'
Subject: snort & slashes with mysql


MySQL, Windows, Snort 2.04 - interface call returns a '/' in spo_database.c near line 320 this is the escape character 
in mySQL syntax

DB structure and permissions are totally fine

Cheers,

- Mike



-----Original Message-----
From: James Haworth [mailto:james.haworth () eduserv org uk]
Sent: Wednesday, November 12, 2003 4:42 PM
To: Mike Couch
Subject: RE: snort & slashes


Hi Mike.
 
I haven't found a solution to this problem as yet. It is caused by the Packet Capture driver returning a blank 
interface name within Windows. This is then interpreted by Snort as a "\" which is the escape character within MySQL 
and therefore you get the error. 
 
I have tried many ways of getting this to work, and unless you remove the MySQL support, then it fails. I have opted to 
go for Red Hat Linux base which doesn't experience this problem until I can find a fix for it.
 
Sorry I couldn't be more help. Let me know if you find a solution for this.
 
Regards
 
James Haworth

        -----Original Message----- 
        From: Mike Couch [mailto:michael.couch () eloqua com] 
        Sent: Wed 12/11/2003 18:44 
        To: James Haworth 
        Cc: 
        Subject: snort & slashes
        
        
        Hi James,
         
        I hope you don't mind me contacting you - but I found your email address on a newsgroup posting....anyways - I 
just was wondering if you ever found a solution to the problem you were having below in September...I've been spending 
way too much time on the same issue and haven't found any helpful advise....thanks very much...
         
        - Mike
         
         
        Hi.
        
        When I start Snort, I get the following error. Has anybody seen this error, or know how to resolve it as I am 
getting it on every box that I install it on?
        
        Regards
        
        James Haworth
        
        C:\Snort\bin>snort -i 2 -c c:\snort\etc\snort.conf -v
        Running in IDS mode
        Log directory = log
        
        Initializing Network Interface \
        
                --== Initializing Snort ==--
        Initializing Output Plugins!
        Decoding Ethernet on interface \
        Initializing Preprocessors!
        Initializing Plug-ins!
        Parsing Rules file c:\snort\etc\snort.conf
        
        +++++++++++++++++++++++++++++++++++++++++++++++++++
        Initializing rule chains...
        No arguments to frag2 directive, setting defaults to:
            Fragment timeout: 60 seconds
            Fragment memory cap: 4194304 bytes
            Fragment min_ttl:   0
            Fragment ttl_limit: 5
            Fragment Problems: 0
            Self preservation threshold: 500
            Self preservation period: 90
            Suspend threshold: 1000
            Suspend period: 30
        Stream4 config:
            Stateful inspection: ACTIVE
            Session statistics: INACTIVE
            Session timeout: 30 seconds
            Session memory cap: 8388608 bytes
            State alerts: INACTIVE
            Evasion alerts: ACTIVE
            Scan alerts: ACTIVE
            Log Flushed Streams: INACTIVE
            MinTTL: 1
            TTL Limit: 5
            Async Link: 0
            State Protection: 0
            Self preservation threshold: 50
            Self preservation period: 90
            Suspend threshold: 200
            Suspend period: 30
        Stream4_reassemble config:
            Server reassembly: INACTIVE
            Client reassembly: ACTIVE
            Reassembler alerts: ACTIVE
            Ports: 21 23 25 53 80 110 111 143 513 1433
            Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
        http_decode arguments:
            Unicode decoding
            IIS alternate Unicode decoding
            IIS double encoding vuln
            Flip backslash to slash
            Include additional whitespace separators
            Ports to decode http on: 80
        rpc_decode arguments:
            Ports to decode RPC on: 111 32771
            alert_fragments: INACTIVE
            alert_large_fragments: ACTIVE
            alert_incomplete: ACTIVE
            alert_multiple_requests: ACTIVE
        telnet_decode arguments:
            Ports to decode telnet on: 21 23 25 119
        Using LOCAL time
        database: compiled support for ( mysql odbc )
        database: configured to use mysql
        database:          user = root
        database: database name = snort
        database:          host = localhost
        Node unique name is: EO52:\
        
        database:   sensor name = EO52:\
        database: mysql_error: You have an error in your SQL syntax.  Check the manual t
        hat corresponds to your MySQL server version for the right syntax to use near '\
        ' AND detail = '1' AND encoding = '0' AND filter IS NULL' at l
        database: mysql_error: You have an error in your SQL syntax.  Check the manual t
        hat corresponds to your MySQL server version for the right syntax to use near '\
        ','1','0', '0')' at line 1
        SQL=INSERT INTO sensor (hostname, interface, detail, encoding, last_cid) VALUES
        ('EO52:\','\','1','0', '0')
        database: mysql_error: You have an error in your SQL syntax.  Check the manual t
        hat corresponds to your MySQL server version for the right syntax to use near '\
        ' AND detail = '1' AND encoding = '0' AND filter IS NULL' at l
        database: Problem obtaining SENSOR ID (sid) from snort->sensor
        ERROR:
        When this plugin starts, a SELECT query is run to find the sensor id for the
        currently running sensor. If the sensor id is not found, the plugin will run
        an INSERT query to insert the proper data and generate a new sensor id. Then a
        SELECT query is run to get the newly allocated sensor id. If that fails then
        this error message is generated.
        
        Some possible causes for this error are:
          * the user does not have proper INSERT or SELECT privileges
          * the sensor table does not exist
        
        If you are _absolutely_ certain that you have the proper privileges set and
        that your database structure is built properly please let me know if you
        continue to get this error. You can contact me at (roman () danyliw com).
        
        Fatal Error, Quitting..
        
        
        
        Snort Interfaces Available Command (snort -W)
        
        C:\Snort\bin>snort -W
        
        -*> Snort! <*-
        Version 2.0.1-ODBC-MySQL-FlexRESP-WIN32 (Build 88)
        By Martin Roesch (roesch () sourcefire com, www.snort.org)
        1.7-WIN32 Port By Michael Davis (mike () datanerds net, www.datanerds.net/~mike)
        1.8 - 2.0 WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com)
        
        Interface       Device          Description
        -------------------------------------------
        1  \Device\Packet_NdisWanIp (NdisWan Adapter)
        2 \Device\Packet_{165D21FE-FB6F-4BFE-80C0-C783B23164BE} (SiS NIC SISNIC)
        
         
         
        --------------------
        
        Mike Couch
        IT Specialist
        416-864-0440 x[224]
        416-864-1881 fax
        mike.couch () eloqua com <mailto:mike.couch () eloqua com> 
        http://www.eloqua.com <http://www.eloqua.com/>