[Snort-sigs] BUG! Rule 1677 triggers a bug when logging to mysql

Martin Olsson elof at ...1288...
Wed Feb 12 05:13:05 EST 2003

Rule 1677 (and others?) makes snort log the following two lines to syslog:

Feb 12 13:34:08 mymachine snort: database: mysql_error: Column 'sig_name' cannot be null SQL=INSERT INTO signature (sig_name,sig_class_id,sig_priority,sig_rev,sig_sid) VALUES ('ORACLE select like '%' attempt',2,3,3,1677)
Feb 12 13:34:08 mymachine snort: database: Problem inserting a new signature 'ORACLE select like '%' attempt'

The reason is that the single quotes in the rule-MSG
  ORACLE select like '%' attempt
terminates the SQL-command too soon.

Rule 1677:
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS
$ORACLE_PORTS (msg:"ORACLE select like '%' attempt";
flow:to_server,established; content:" where "; nocase; content:" like
'%'"; nocase; classtype:protocol-command-decode; sid:1677; rev:3;)

Recommended actions:
1. Modify all rules that might trigger this behavoiur immediately
2. Let the rules parser detect this kind of malformed rules at startup

I'm running snort v1.9.0 on FreeBSD 4.7 (i386).
Mysql and snmp support have been built in.


More information about the Snort-sigs mailing list