Snort mailing list archives
RE: slashes in SQL statement a problem?
From: <wfz () ciudad com ar>
Date: Thu, 04 Dec 2003 13:10:23 -0300
Hi Mike (Couch), perhaps by now you´ve solved the problem by yourself, but anyway... I´ve ran into the same problem while trying to use a secondary sensor (a W2K one)to log to a remote MySQL database:
database: Problem obtaining SENSOR ID (sid) from snort->sensor
but after searching the mailings and testing for three days, I finally arrived at the problem; sniffing, I saw that the string snort was sending to MySQL was wrong:
SELECT sid FROM sensor WHERE hostname='Sensor2' AND interface='\' AND detail='1' AND encoding='0' AND > filter IS NULL
the problem here is the backslash after interface, which -i think- escapes the preceding sinqle quote, thus the rest of the staement is ignored and produces a syntax error. After that I searched the archives and found in SNORT-developers one message telling about pcap sending unicode characters to snort when queried about the interface, or something like that. That was the problem, look at this
C:\Snort\bin>snort -de -c c:\snort\etc\snort.conf -l c:\snort\log -i1 Running in IDS mode Log directory = c:\snort\log
Initializing Network Interface \
--== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface \ Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file c:\snort\etc\snort.conf
Snort uses '\' as the listening interface name or number, and it´s OK until it passes it to MySQL as an argument for the above described query. MySQL gives a syntax error and so snort dies. I´ve seen a lot of questions about this problem on the net and didn´t find a complete answer, so i think this posting can help. I solved the problem downgrading to snort 2.0.0, so if anyone of the developers team is reading this, please take it into acccount for correcting it. I´ll try to post a similar text in the bugs list so they can fix it. I´m no good at programming so I can´t help anymore. Cheers. __________________________________________________ __________________________________________________ Todavía no tenés tu Ciudad Internet Mail? Obtenelo ahora! - http://webmail.ciudad.com.ar Descargá Gratis el nuevo Internet Explorer 6.0, el mejor software para actualizar tu PC. http://www.ciudad.com.ar/ar/servicios/ie/ ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: slashes in SQL statement a problem? wfz (Dec 04)