[Snort-users] ACID v0.96b17 and postgres query problems

roman at ...438... roman at ...438...
Tue Nov 13 06:18:02 EST 2001


I tried to reproduce this problem with no success using the following 

- PostgreSQL v7.1
- ACID v0.9.6b17-18 
- Snort DB schema v104

I duplicated your actions by taking the following steps from the main 

- clicked on TCP from the Traffic Profile graph
- clicked on Destination (or Source) address in the Summary Stats

However, no errors were produced in the Unique IP address listing.

Try turning on the sql trace log ($sql_trace_mode, $sql_trace_file) in 
acid_conf.php and send me the output.


---------- Forwarded message ----------
Date: Sun, 04 Nov 2001 22:36:26 -0800
From: Mark W. Davis <mwd at ...497...>
To: "snort-users at lists.sourceforge.net" <snort-users at lists.sourceforge.net>
Subject: [Snort-users] ACID v0.96b17 and postgres query problems

When selecting a SOURCE or DESTINATION address in the Unique
Addresses section of the 'Summary Statistics' box this error
occurs(It also occurs in many other places as well):

Syslog error:
postgres[2416]: [2] ERROR:  For SELECT DISTINCT, ORDER BY expressions must appear in
target list

Debug output:
Session Registered
History depth = 3
CRITERIA ERROR: unknown address type -- assuming Dst address

Checking for DB abstraction lib in '/apache/htdocs/adodb/adodb.inc.php'
sensor #1: event.cid = 2699, acid_event.cid = 2699
Added 0 alert(s) to the Alert cache

Valid Canned Query List 

    [most_frequent] => Array
            [0] => 15
            [1] => Most Frequent IP addresses
            [2] => occur_d


Query State
caller = ''
num_result_rows = '4'
sort_order = ''
current_view = '0'
action_arg = ''
action = ''
SELECT DISTINCT ip_dst, COUNT(acid_event.cid) as num_events, 
COUNT( DISTINCT acid_event.sid) as num_sensors, COUNT(DISTINCT signature ) 
as num_sig, COUNT( DISTINCT ip_dst ) as num_dip FROM acid_event 
WHERE acid_event.sid > 0 AND ip_proto= 6 GROUP BY ip_dst 

URL: '/acid/acid_stat_uaddr.php' (referred by:
         PARAMETERS: 'addr_type=1'
         CLIENT: Mozilla/4.76 [en] (X11; U; Linux 2.2.18 i686)
         SERVER: Apache/1.3.20 (Unix) mod_perl/1.26 mod_ssl/2.8.4 
         SERVER HW: Linux xxx.domain.com 2.2.19 #1 Fri Mar 9 12:09:12 PST 2001 i686
         PHP VERSION: 4.0.6  PHP API: apache
         SESSION ID: aceb4d279c0b08272e66f1
I am running snort 1.8.1-release logging to postgres 1.7mumble. 
Mark W. Davis

This message was sent using Voicenet WebMail.

More information about the Snort-users mailing list