[Snort-users] Email using mysql

Steve Halligan agent33 at ...187...
Mon May 7 14:11:57 EDT 2001


This was fixed.
If you want to implement the database abstraction stuff, go to
www.andrew.cmu.edu/`rdanyliw/snort/snortacid.html and grab the lastest acid
release.

If you want to keep essentially the same acid you are using now download the
0.9.6b1 release, it fixes this bug.

-steve
-----Original Message-----
From: Michael Aylor [mailto:maylor at ...1991...]
Sent: Monday, May 07, 2001 12:19 PM
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] Email using mysql


Hello, I'm having a problem with ACID sending an email of selected alerts.
The order of events I do to generate the error are as follows.
1.  Launch web browser (IE 5.01) and pull up the acid_main.php page (hosted
on Apache server version 1.3.19-5). 
2.  Pull up a set of alerts I'm interested.  At the bottom of the page, I
use the drop down box to select "Email Alerts(s)" and in the corresponding
field, I type the email address I want to send it to.
3.  The webpage is refreshed, but with error messages. 
Warning: 1 is not a valid MySQL-Link resource in
/home/httpd/html/acid/acid_pkt_sqlcalls.php on line 83 
Warning: Supplied argument is not a valid MySQL result resource in
/home/httpd/html/acid/acid_pkt_sqlcalls.php on line 129
Warning: 1 is not a valid MySQL-Link resource in
/home/httpd/html/acid/acid_pkt_main.php on line 507 
However, I do get an email message sitting in my inbox, but it has no query
data on it.  All it says is 
 
Bottom of Form 0
ACID v0.9.5 ( by Roman Danyliw <mailto:roman at ...438...> as part of the
AirCERT <http://www.cert.org/kb/aircert/> project )   

I set acid to debug mode=1 in the acid_conf.php page and it spit out a whole
bunch of stuff, the most interesting to me was the actual sql query it ran
against the snort database.  I'll include that here.
SQL: SELECT event.sid, event.cid, signature, timestamp, ip_src0, ip_src1,
ip_src2, ip_src3, ip_dst0, ip_dst1, ip_dst2, ip_dst3, ip_proto FROM event
LEFT JOIN iphdr ON event.sid=iphdr.sid AND event.cid=iphdr.cid WHERE
event.cid > 0 AND signature='BIND Shell' 
Just as a part of troubleshooting, I went ahead and used a mysql client to
enter that query in and it returned the expected data with no errors, so I
know the query is good.
I'm using  MySQL version 3.23.36-1.  Not sure what the problem is, but maybe
someone can help me. 



Mike Aylor 
maylor at ...1991... 


CONFIDENTIALITY NOTICE:

************************************************************************

The information contained in this ELECTRONIC MAIL transmission
is confidential. It may also be privileged work product or proprietary
information. This information is intended for the exclusive use of the
addressee(s). If you are not the intended recipient, you are hereby
notified that any use, disclosure, dissemination, distribution [other
than to the addressee(s)], copying or taking of any action because
of this information is strictly prohibited.

************************************************************************




More information about the Snort-users mailing list