[Snort-users] Problem with mysql + 1.6.3
jed at ...153...
Thu Jul 27 11:01:55 EDT 2000
> I am getting an error with the following configuration line
> "output log_database: mysql, dbname=snort host=localhost user=root"
> [root at ...170... /root]# snort -i eth0 -c 07122kany.rules
> log_database: Database type is mysql
> log_database: Database name is snort
> log_database: Host set to localhost
> log_database: User set to root
> Problem obtaining SENSOR ID (sid) from mysql->snort->event
This error message is very misleading (and fixed in the development
version). This error message occurs after three things happen:
1) The database plugin checks the sensor table to see if there
is an entry containing the current HOSTNAME (environment
variable), interface (eth0 in your case), and filter (NULL in
your case). If found the sensor id "sid" is returned.
2) If the "sid" is not found for that combination the plugin
attempts to INSERT a row containing that data into the
sensor table. If this INSERT is successful, that row will
automatically be assigned a "sid" by mysql.
3) The plugin then does a SELECT on the sensor table just as
in step #1 to get the "sid". If the "sid" is 0 then the user
(root in your case) either does not have the privileges to SELECT
from the sensor table or privileges to INSERT into the sensor
The error message is misleading in part because it should read
"Problem obtaining SENSOR ID (sid) from mysql->snort->sensor".
That is a typo in the code that I am aware of and have fixed
in the development version.
Also, the database plugin up until the 1.6.3 release has some
portability problems with some configurations of some operating
systems. I have reports of the plugin working successfully on various
flavors of Linux, Solaris, Freebsd, and Openbsd. Nevertheless, up to
release 1.6.3, the plugin depends on the existence of the "HOSTNAME"
environment variable which is not ubiquitous across operating systems
and shells. If your user does not have this environment variable that
could also be what is causing your problem. You could test by ensuring
that there is some value for the "HOSTNAME" environment variable. Note
that this issue is fixed in the version that is in CVS.
Let me know how it goes.
More information about the Snort-users