Snort mailing list archives

snort+acid and URL references problem

From: "Michael Scheidell" <scheidell () fdma com>
Date: Fri, 12 Oct 2001 11:50:48 -0400

Database ERROR:You have an error in your SQL syntax near '' at line 1

Given the following:

snort rule with reference
(the misc-web nimda worm 'readme.eml' attempt)

reference:url,(well, anything)

/var/log message gives this error when attempting to log to mysql database
schema 103:

Unable to insert the alert reference

SECOND insert works, but acid still won't display the results.

sql log shows this sql attempt and any attempt to search for the specific ip
address gives same error.


SELECT COUNT(DISTINCT acid_event.sid) FROM acid_event    WHERE
acid_event.sid > 0 AND (  ( ip_dst=2886747080 )   )
SELECT COUNT(DISTINCT acid_event.signature) FROM acid_event    WHERE
acid_event.sid > 0 AND (  ( ip_dst=2886747080 )   )
SELECT COUNT(acid_event.sid) FROM acid_event    WHERE   acid_event.sid > 0
AND (  ( ip_dst=2886747080 )   )
SELECT COUNT(DISTINCT acid_event.ip_src), COUNT(DISTINCT acid_event.ip_dst)
FROM acid_event    WHERE   acid_event.sid > 0
AND (  ( ip_dst=2886747080 )   )
SELECT COUNT(DISTINCT acid_event.layer4_sport),  COUNT(DISTINCT
acid_event.layer4_dport) FROM acid_event    WHERE
   acid_event.sid > 0 AND (  ( ip_dst=2886747080 )   )
SELECT COUNT(DISTINCT acid_event.layer4_sport),  COUNT(DISTINCT
acid_event.layer4_dport) FROM acid_event    WHERE
   acid_event.sid > 0 AND (  ( ip_dst=2886747080 )   ) AND ip_proto=6
SELECT COUNT(DISTINCT acid_event.layer4_sport),  COUNT(DISTINCT
acid_event.layer4_dport) FROM acid_event    WHERE
   acid_event.sid > 0 AND (  ( ip_dst=2886747080 )   ) AND ip_proto=17
SELECT sig_name FROM signature WHERE sig_id=108
SELECT ref_seq, ref_id FROM sig_reference WHERE sig_id=108
SELECT ref_system_id, ref_tag FROM reference WHERE ref_id=0
SELECT ref_system_name FROM reference_system WHERE ref_system_id=

--

Michael Scheidell
Florida Datamation, Inc.
scheidell () fdma com 1+(561) 368-9561
Internet Security and Consulting
See updated IT Security News at http://www.fdma.com/
After system Compromise : http://www.cert.org/tech_tips/



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort+acid and URL references problem Michael Scheidell (Oct 12)
- <Possible follow-ups>
- Re: snort+acid and URL references problem roman (Oct 12)
- Re: snort+acid and URL references problem Michael Scheidell (Oct 16)
- Re: snort+acid and URL references problem Roman Danyliw (Oct 16)