[Snort-sigs] BUG! Rule 1677 triggers a bug when logging to mysql
elof at ...1288...
Wed Feb 12 05:13:05 EST 2003
Rule 1677 (and others?) makes snort log the following two lines to syslog:
Feb 12 13:34:08 mymachine snort: database: mysql_error: Column 'sig_name' cannot be null SQL=INSERT INTO signature (sig_name,sig_class_id,sig_priority,sig_rev,sig_sid) VALUES ('ORACLE select like '%' attempt',2,3,3,1677)
Feb 12 13:34:08 mymachine snort: database: Problem inserting a new signature 'ORACLE select like '%' attempt'
The reason is that the single quotes in the rule-MSG
ORACLE select like '%' attempt
terminates the SQL-command too soon.
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS
$ORACLE_PORTS (msg:"ORACLE select like '%' attempt";
flow:to_server,established; content:" where "; nocase; content:" like
'%'"; nocase; classtype:protocol-command-decode; sid:1677; rev:3;)
1. Modify all rules that might trigger this behavoiur immediately
2. Let the rules parser detect this kind of malformed rules at startup
I'm running snort v1.9.0 on FreeBSD 4.7 (i386).
Mysql and snmp support have been built in.
More information about the Snort-sigs