[Snort-devel] [PATCH] Superquote database entries
Kristofer T. Karas
ktk at ...2395...
Tue Feb 24 15:06:03 EST 2004
When snort logs to a database, it sanitizes string literals in SQL
statements via snort-escape-string(). Unfortunately, different quoting
rules are required based upon the context. In particular, the '%' and
'_' characters must be quoted in LIKE clauses as they have special
meaning; but when compared with '=' (or in INSERT statements, etc) those
are just regular characters. The MySQL database (and perhaps others)
will interpret the quoted versions ('\_' and '\%') as two regular
characters in an INSERT command. This produces unwanted results in the
database; e.g., the snort signature for "http_decode" shows up as
"http\_decode" in Demarc (and possibly ACID?).
While looking at spo_database.c, I noticed that the superquote rules for
some of the other database flavors lacked superquoting for '%' and '_'
altogether. Also, MySQL supports a '\Z' superquote (for character code
26) for use by Windows platforms that is not supported for PostgreSQL
(7.4.1 in any case). I fixed that as well.
Below is a patch to address the aforementioned. I added a "how"
argument to snort-escape-string that can be 0 to quote for INSERT (etc)
and 1 to quote for SELECT...LIKE; all of the callers are hardwired for 0
as none are using 'LIKE'.
Slightly OT, but I had to read the code from MySQL and PostgreSQL (and
chatted with the MSSQL and Oracle DBs here) to get some consensus on
uniform quoting rules. I note with some dismay that the lexical
analyzers in both MySQL and PostgreSQL disagree with their exported API
function for superquoting; sigh. At least the omission of some
characters is moot as the input streams are binary safe for the non-meta
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
More information about the Snort-devel