[Snort-users] Problem with mysql + 1.6.3

Jed Pickel jed at ...153...
Thu Jul 27 11:01:55 EDT 2000


> I am getting an error with the following configuration line 
> 
> "output log_database: mysql, dbname=snort host=localhost user=root"
> 
> [root at ...170... /root]# snort  -i eth0  -c 07122kany.rules 
...
> log_database: Database type is mysql
> log_database: Database name is snort
> log_database: Host set to localhost
> log_database: User set to root
> Problem obtaining SENSOR ID (sid) from mysql->snort->event

Hey Jason,

This error message is very misleading (and fixed in the development
version). This error message occurs after three things happen:

  1) The database plugin checks the sensor table to see if there
     is an entry containing the current HOSTNAME (environment
     variable), interface (eth0 in your case), and filter (NULL in
     your case). If found the sensor id "sid" is returned.

  2) If the "sid" is not found for that combination the plugin 
     attempts to INSERT a row containing that data into the 
     sensor table. If this INSERT is successful, that row will
     automatically be assigned a "sid" by mysql.

  3) The plugin then does a SELECT on the sensor table just as 
     in step #1 to get the "sid". If the "sid" is 0 then the user
     (root in your case) either does not have the privileges to SELECT
     from the sensor table or privileges to INSERT into the sensor
     table.
      
The error message is misleading in part because it should read
"Problem obtaining SENSOR ID (sid) from mysql->snort->sensor".
That is a typo in the code that I am aware of and have fixed
in the development version.

Also, the database plugin up until the 1.6.3 release has some
portability problems with some configurations of some operating
systems. I have reports of the plugin working successfully on various
flavors of Linux, Solaris, Freebsd, and Openbsd. Nevertheless, up to
release 1.6.3, the plugin depends on the existence of the "HOSTNAME"
environment variable which is not ubiquitous across operating systems
and shells. If your user does not have this environment variable that
could also be what is causing your problem. You could test by ensuring
that there is some value for the "HOSTNAME" environment variable. Note
that this issue is fixed in the version that is in CVS.

Let me know how it goes.

* Jed




More information about the Snort-users mailing list