[Snort-users] Re: some weird stuff going on with acid?

roman at ...438... roman at ...438...
Wed Apr 4 09:35:40 EDT 2001


This problem below related to being unable to search by signature
is purely a PostgreSQL issue; a result of an incorrect DDL script.
MySQL databases users should not be seeing this problem (am
I correct?).  In reference to making this change on an active
database, it may be possible with an ALTER COLUMN command,
but this is pure speculation.

cheers,
Roman

> Roman,
> 
> Can this change be applied to an active database?  (I *really* need to learn
> more MySQL commands and stop pestering you guys!)  Thanks.
> 
> Frank
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of
> roman at ...438...
> Sent: Tuesday, April 03, 2001 10:26
> To: Roeland Weve; roman at ...438...; snort-users at lists.sourceforge.net
> Cc: jed at ...153...
> Subject: [Snort-users] Re: some weird stuff going on with acid?
> 
> 
> Roeland,
> 
> > when I am searching for an exact rule, I get the following error message
> > Database ERROR:You have an error in your SQL syntax near 'x86 stealth
> > noop' at line 1
> 
> This turns out to be a problem with the 'create_postgresql' script.
>   I mistakenly left the field "event.signature" defined as "TEXT"
> when it should be INT.  Hence, the error message to use an
> explicit cast.  ACID will now catch this error and properly cast,
> however, upgrading the database is highly recommended for
> performance reasons.  Check-out of CVS again.
> 
> TO those with CVS write for Snort: please commit these patches to
> "contrib/create_*"
> scripts
> 
> contrib/create_postgresql
> ====================
> 24c24
> < INSERT INTO schema  (vseq, ctime) VALUES ('101', now());
> ---
> > INSERT INTO schema  (vseq, ctime) VALUES ('100', now());
> 46c46
> <                       signature   INT4 NOT NULL,
> ---
> >                       signature   TEXT NOT NULL,
> ====================
> 
> contrib/create_mysql
> ====================
> 24c24
> < INSERT INTO schema  (vseq, ctime) VALUES ('101', now());
> ---
> > INSERT INTO schema  (vseq, ctime) VALUES ('100', now());
> ====================
> 
> contrib/create_oracle
> ====================
> 37c37
> < INSERT INTO schema  (vseq, ctime) VALUES ('101', now());
> ---
> > INSERT INTO schema  (vseq, ctime) VALUES ('100', now());
> ====================
> 
> > But if I click previous, to view 0-(1-1374) again, it won't work.
> > The button 'previous' says 0-(1-1373), so I click previous, but I view
> > the same. I can't go back.
> 
> Indeed, this is an internal off-by-one error.  The fix is in CVS.
> 
> cheers,
> Roman
> 
> 
> > I am running the latest acid from cvs
> >
> > when I am searching for an exact rule, I get the following error message
> > Database ERROR:You have an error in your SQL syntax near 'x86 stealth
> > noop' at line 1
> >
> >
> > Another weird thing:
> > When I am in acid_pkt_main.php and click on an ID of a rule (eg
> > 0-(1-1374)),
> >
> >  #0-(1-1374)  [arachNIDS] EXPLOIT x86 NOOP 2001-03-27 15:31:59
> > xxx.xxx.xxx.171 xxx.xx.xxx.77  TCP
> >  #1-(1-1373)  [arachNIDS] EXPLOIT x86 NOOP 2001-03-27 15:31:59
> > xxx.xxx.xxx.171 xxx.xx.xxx.77  TCP
> >
> > I get a nice view of the package.
> > If there are more packets and want to view the next (0-(1-1373)), it
> > works too...
> > But if I click previous, to view 0-(1-1374) again, it won't work.
> > The button 'previous' says 0-(1-1373), so I click previous, but I view
> > the same. I can't go back.
> >
> >
> > Roeland
> >
> 
> 
> 
> ---------------------------------------------
> This message was sent using Voicenet WebMail.
>       http://www.voicenet.com/webmail/
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 



---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/






More information about the Snort-users mailing list