Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: MYSQL Error on Windows XP snort install

From: "Jacob Roberts" <jake_roberts () byu edu>
Date: Wed, 3 Dec 2003 09:14:49 -0700
Here is your Probem:
        sensor name = CVN72UFS01:\

Your sensor name has a backslash in it '\'.

In MySQL the backslash is a special character that escapes other special
characters so they can be used:
For example, the single quote (') character is special and cannot be
used in MySQL, but by escaping it with the backslash character like so
\' MySQL sees that you want to treat the ' as a normal character and not
by its special meaning.

So by having a \ in your sensor name its changing a ' to a non-special
character and messing up Snort SQL statement.  You should be able to fix
this problem by changing the sensor name in the snort.conf file.  You
specify the sensor name in the output plug line:
        output database: log, mysql, dbname=snort user=snortusr
host=mysql.domain.org password=goodpassword detail=full
sensor_name=mysnortsensor1

Snort really should and escape all the values it enters in the database
so errors like this won't occur.

I hope this solves your problem.

Jake



-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Bright,
Mark IT2
Sent: Tuesday, December 02, 2003 8:35 PM
To: 'snort-users () lists sourceforge net'
Subject: RE: [Snort-users] MYSQL Error on Windows XP snort install


I don't have an account with Winsnort so I'm not quite sure what you
mean by
master and slave sensors. I'm running a Win2k Professional box with
MySQL
4.0.15 and ACID v0.9.6b23 (schema v106) as my central logging server. I
have
5 sensors mostly on NT Server machines running Snort v2.0.5 successfully
logging to MySQL, 2 error'ing out with the same problem (Posted below).
So
far I've tried to re-install Snort, upgrade it, use root as well as
snort
users, checked and re-checked permissions, and checked and re-checked my
snort.conf file. I've found quite a few posts to the snort-users list
regarding this error but haven't seen a fix. I also e-mailed Mr. Danyliw
and
I'm awaiting to hear his input. There have been some posts that point
the
cause at the sensor name. If that's the case, I really don't know how to
fix
it. I'm leaning in the direction of a permissions problem, but from what
I
can tell, they look just fine, and my other sensors work great. Any help
would be greatly appreciated...

Here's my error:

Here's my snort.conf output line:
output database: log, mysql, user=snort dbname=snort host=205.60.5.35

Here's the error from Snort:

database: compiled support for ( mysql odbc )
database: configured to use mysql
database: database name = snort
database:          user = snort
database:          host = 205.60.5.35
database:   sensor name = CVN72UFS01:\
database: mysql_error: You have an error in your SQL syntax.  Check the
manual t
hat corresponds to your MySQL server version for the right syntax to use
near '\
' AND detail = '1' AND encoding = '0' AND filter IS NULL' at l
database: mysql_error: You have an error in your SQL syntax.  Check the
manual t
hat corresponds to your MySQL server version for the right syntax to use
near '\
','1','0', '0')' at line 1
SQL=INSERT INTO sensor (hostname, interface, detail, encoding, last_cid)
VALUES
('CVN72UFS01:\','\','1','0', '0')
database: mysql_error: You have an error in your SQL syntax.  Check the
manual t
hat corresponds to your MySQL server version for the right syntax to use
near '\
' AND detail = '1' AND encoding = '0' AND filter IS NULL' at l
database: Problem obtaining SENSOR ID (sid) from Snort->sensor
ERROR:
 When this plugin starts, a SELECT query is run to find the sensor id
for
the
 currently running sensor. If the sensor id is not found, the plugin
will
run
 an INSERT query to insert the proper data and generate a new sensor id.
Then a
 SELECT query is run to get the newly allocated sensor id. If that fails
then
 this error message is generated.

 Some possible causes for this error are:
  * the user does not have proper INSERT or SELECT privileges
  * the sensor table does not exist

 If you are _absolutely_ certain that you have the proper privileges set
and
 that your database structure is built properly please let me know if
you
 continue to get this error. You can contact me at (roman () danyliw com).

~Mark

-----Original Message-----
From: Michael Steele [mailto:michaels () winsnort com]
Sent: Tuesday, December 02, 2003 6:26 PM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] MYSQL Error on Windows XP snort install


Watch cloning them unless you change SID. You'll run into problems if
they
are on the same network.

Looks like some of this message went private so it looks very strange.

I'm taking it that you are logging from a Master sensor to a Slave
sensor
all on the same network.

Did you follow the guide for a Master sensor on the WINSNORT.com site?

Did you follow the guide for a Slave sensor on the WINSNORT.com site?

What sanity checks have you preformed to make sure that connectivity is
there between the master and slave?

Do you have working slaves on the Master but one or more fails after a
stock
installation?

Cheers...

-The WINSNORT.com Management Team
-- 
 Pick up your FREE Windows or UNIX Snort installation guides       
 mailto:support () winsnort com
 Website: http://www.winsnort.com
 Snort: Open Source Network IDS - http://www.snort.org


-----Original Message-----
From: snort-users-admin () lists sourceforge net [mailto:snort-users-
admin () lists sourceforge net] On Behalf Of Bright, Mark IT2
Sent: Tuesday, December 02, 2003 4:48 PM
To: 'Tim'
Cc: 'snort-users () lists sourceforge net'
Subject: RE: [Snort-users] MYSQL Error on Windows XP snort install

No can do. They're production servers with different uses. I'm digging
through the Snort-Users archives and I'm finding a bunch of folks with
this
same error, all without a fix. How could an error with this kind of
documentation not been resolved yet? I'm willing to bet someone's

figured

it
out, just hasn't spilled the beans yet. I'll keep ya' posted...

~Mark

-----Original Message-----
From: Tim [mailto:tim0707 () comcast net]
Sent: Tuesday, December 02, 2003 3:29 PM
To: Bright, Mark IT2
Subject: Re: [Snort-users] MYSQL Error on Windows XP snort install


Mark,

If that were me and I had 5 good and two bad, I would clone one of the
good
ones and change the name and IP (stuff like that).   That should work

for

you.  I know that's the easy way out, but....

Later,
Tim
----- Original Message -----
From: "Bright, Mark IT2" <mbrigh () lincoln navy mil>
To: "'Tim'" <tim0707 () comcast net>
Sent: Tuesday, December 02, 2003 6:21 PM
Subject: RE: [Snort-users] MYSQL Error on Windows XP snort install



Tim,

I still haven't got it working yet. I have 5 sensors reporting just

fine

but

2 keep error'ing out. I've obviously checked and rechecked the

database

permissions time and time again. They look good to me. I tried using

root

rather than the snort user = failed. I tried re-installing Snort =

failed.
I

tried upgrading to the latest version of Snort = failed. I'm pretty

stuck,

man. I'm going to e-mail Roman again and see what happens. It

usually

takes

him a few days to respond so I'll just keep diggin' 'til then.

Thanks

for

the heads up on the website. Take it easy,

~Mark

-----Original Message-----
From: Tim [mailto:tim0707 () comcast net]
Sent: Monday, December 01, 2003 2:16 PM
To: Bright, Mark IT2
Subject: Re: [Snort-users] MYSQL Error on Windows XP snort install


Mark,

Check out www.winsnort.com.  They have some documentation that

should

help.

I've looked it over, but haven't had a chance to try it out.  You

have

to

create an account to get access to the docs.

The Lincoln, huh?  I just got out of the Navy 1 month ago.  I was

stationed

onboard the USS PORTER (DDG-78).  I thought you guys ran RealSecure

onboard

CVN's?

Let me know if you get it working.

Tim
----- Original Message -----
From: "Bright, Mark IT2" <mbrigh () lincoln navy mil>
To: "'Tim'" <tim0707 () comcast net>
Sent: Monday, December 01, 2003 11:02 AM
Subject: RE: [Snort-users] MYSQL Error on Windows XP snort install



I'm getting this same error on two of my sensors. I e-mailed Roman

and

the

Snort list and still haven't heard a solution. If you get a fix

for

this,

please post it to the list. I'm thinking about creating another

user

and

assigning the appropriate permissions and seeing if that works.

I'm

running

snort on NT Server and recording to a MySQL database on a remote

Win2k

machine. Thanks for posting...

~Mark



-----Original Message-----
From: Tim [mailto:tim0707 () comcast net]
Sent: Friday, November 28, 2003 8:37 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] MYSQL Error on Windows XP snort install


I'm setting up a Windows XP box with snort, ACID and MYSQL. I've

gotten

everything running good, but when I go to run snort, I get the

following

error.


I'm running MYSQL version 4.0.16 and snort version 2.0.5.

I followed the instructions in

http://www.snort.org/docs/snort_acid_rh9.pdf

posted on the snort website to set up MYSQL.  Everything went

alright

with

the MYSQL install.  I've checked all of the permissions on MYSQL

and I

have

the right user and permissions there.   All of the tables and are

created.

I checked using the SHOW TABLES command.  If anyone has run into

this

problem before, I would appreciate the help.

If you're wondering why I'm installing all of this on a Windows XP

box,

well...  just to pass the time, I guess... : )

Thanks,
Tim








-------------------------------------------------------
This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
http://www.wrgsurveys.com/2003/osdntech03.php?site=8
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
http://www.wrgsurveys.com/2003/osdntech03.php?site=8
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
http://www.wrgsurveys.com/2003/osdntech03.php?site=8
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
http://www.wrgsurveys.com/2003/osdntech03.php?site=8
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: