[Snort-devel] [PATCH] Superquote database entries

Kristofer T. Karas ktk at ...2395...
Tue Feb 24 15:06:03 EST 2004


Greetings,

When snort logs to a database, it sanitizes string literals in SQL 
statements via snort-escape-string().  Unfortunately, different quoting 
rules are required based upon the context.  In particular, the '%' and 
'_' characters must be quoted in LIKE clauses as they have special 
meaning; but when compared with '=' (or in INSERT statements, etc) those 
are just regular characters.  The MySQL database (and perhaps others) 
will interpret the quoted versions ('\_' and '\%') as two regular 
characters in an INSERT command.   This produces unwanted results in the 
database; e.g., the snort signature for "http_decode" shows up as 
"http\_decode" in Demarc (and possibly ACID?).

While looking at spo_database.c, I noticed that the superquote rules for 
some of the other database flavors lacked superquoting for '%' and '_' 
altogether.  Also, MySQL supports a '\Z' superquote (for character code 
26) for use by Windows platforms that is not supported for PostgreSQL 
(7.4.1 in any case).  I fixed that as well.

Below is a patch to address the aforementioned.  I added a "how" 
argument to snort-escape-string that can be 0 to quote for INSERT (etc) 
and 1 to quote for SELECT...LIKE; all of the callers are hardwired for 0 
as none are using 'LIKE'.

<Digress>
Slightly OT, but I had to read the code from MySQL and PostgreSQL (and 
chatted with the MSSQL and Oracle DBs here) to get some consensus on 
uniform quoting rules.  I note with some dismay that the lexical 
analyzers in both MySQL and PostgreSQL disagree with their exported API 
function for superquoting; sigh.  At least the omission of some 
characters is moot as the input streams are binary safe for the non-meta 
characters...
</Digress>

Kris Karas

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: snort-2.1.1-RC1.diff
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20040224/bf25505c/attachment.ksh>


More information about the Snort-devel mailing list