[Snort-users] [ACID] - trying to keep up

rdanyliw at ...1925... rdanyliw at ...1925...
Mon Jun 25 11:32:41 EDT 2001


> I am using latest acid from CVS and latest contrib/create_mysql from CVS.
> mysql  Ver 9.38
> PHP Version 4.0.5 
> 
> error #1
> Creating database:
> bash# mysql snort< create_mysql
> ERROR 1121 at line 34: Column 'sig_class_id' is used with UNIQUE or INDEX
> but is not defined as NOT NULL
> 
> The above error goes away if I append "NOT NULL" to line 36, but is this
> right?

As I recollect, older versions of MySQL had problems with creating INDEXes on
"NOT NULL" fields.  In this case, I would remove the index which caused the error
instead of making the field "NOT NULL".  This change could potentially cause 
problems when logging from Snort with an alert which had no classification.  

> Using acid after the above change.
> I don't know if it makes a difference to the sid/cid stuff but I am
> populating my database from a pcap-style dump file captured via iptables
> QUEUE. This means the sid reads:
> [reading from a file]

Lets confirm a couple of things:
- So you are logging to the Snort-style database from iptables.
- What does "This means the sid reads: [reading from a file]"?  The field
"event.sid" and "sensor.sid" is a text string?  "event.sid" and "event.cid" need
to be numeric.

> When I try to click on and use acid_stat_ipaddr.php:
> Database ERROR:You have an error in your SQL syntax near 'ON
> (event.sid=iphdr.sid AND event.cid=iphdr.cid) WHERE ( (ip_src=1079064628)
> OR ' at line 1

This error might be related to your previous comment.  Turn on debug mode
(i.e. set the $debug_mode variable =1 in acid_conf.php), and what is the
full SQL statement which you are trying to execute.

Roman


---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/






More information about the Snort-users mailing list