[Snort-users] Re: some weird stuff going on with acid?

roman at ...438... roman at ...438...
Tue Apr 3 14:25:38 EDT 2001


Roeland,

> when I am searching for an exact rule, I get the following error message
> Database ERROR:You have an error in your SQL syntax near 'x86 stealth
> noop' at line 1

This turns out to be a problem with the 'create_postgresql' script.
  I mistakenly left the field "event.signature" defined as "TEXT" 
when it should be INT.  Hence, the error message to use an 
explicit cast.  ACID will now catch this error and properly cast, 
however, upgrading the database is highly recommended for 
performance reasons.  Check-out of CVS again.

TO those with CVS write for Snort: please commit these patches to "contrib/create_*"
scripts

contrib/create_postgresql
====================
24c24
< INSERT INTO schema  (vseq, ctime) VALUES ('101', now());
---
> INSERT INTO schema  (vseq, ctime) VALUES ('100', now());
46c46
<                       signature   INT4 NOT NULL, 
---
>                       signature   TEXT NOT NULL, 
====================

contrib/create_mysql
====================
24c24
< INSERT INTO schema  (vseq, ctime) VALUES ('101', now());       
---
> INSERT INTO schema  (vseq, ctime) VALUES ('100', now());   
====================

contrib/create_oracle
====================
37c37
< INSERT INTO schema  (vseq, ctime) VALUES ('101', now());       
---
> INSERT INTO schema  (vseq, ctime) VALUES ('100', now());  
====================

> But if I click previous, to view 0-(1-1374) again, it won't work.
> The button 'previous' says 0-(1-1373), so I click previous, but I view
> the same. I can't go back.

Indeed, this is an internal off-by-one error.  The fix is in CVS. 

cheers,
Roman


> I am running the latest acid from cvs
> 
> when I am searching for an exact rule, I get the following error message
> Database ERROR:You have an error in your SQL syntax near 'x86 stealth
> noop' at line 1
> 
> 
> Another weird thing:
> When I am in acid_pkt_main.php and click on an ID of a rule (eg
> 0-(1-1374)), 
> 
>  #0-(1-1374)  [arachNIDS] EXPLOIT x86 NOOP 2001-03-27 15:31:59
> xxx.xxx.xxx.171 xxx.xx.xxx.77  TCP
>  #1-(1-1373)  [arachNIDS] EXPLOIT x86 NOOP 2001-03-27 15:31:59
> xxx.xxx.xxx.171 xxx.xx.xxx.77  TCP
> 
> I get a nice view of the package.
> If there are more packets and want to view the next (0-(1-1373)), it
> works too...
> But if I click previous, to view 0-(1-1374) again, it won't work.
> The button 'previous' says 0-(1-1373), so I click previous, but I view
> the same. I can't go back.
> 
> 
> Roeland
> 



---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/






More information about the Snort-users mailing list