[Snort-users] snort+acid and URL references problem

Michael Scheidell scheidell at ...3799...
Fri Oct 12 08:51:20 EDT 2001


Database ERROR:You have an error in your SQL syntax near '' at line 1

Given the following:

snort rule with reference
(the misc-web nimda worm 'readme.eml' attempt)

reference:url,(well, anything)

/var/log message gives this error when attempting to log to mysql database
schema 103:

Unable to insert the alert reference

SECOND insert works, but acid still won't display the results.

sql log shows this sql attempt and any attempt to search for the specific ip
address gives same error.


SELECT COUNT(DISTINCT acid_event.sid) FROM acid_event    WHERE
acid_event.sid > 0 AND (  ( ip_dst=2886747080 )   )
SELECT COUNT(DISTINCT acid_event.signature) FROM acid_event    WHERE
acid_event.sid > 0 AND (  ( ip_dst=2886747080 )   )
SELECT COUNT(acid_event.sid) FROM acid_event    WHERE   acid_event.sid > 0
AND (  ( ip_dst=2886747080 )   )
SELECT COUNT(DISTINCT acid_event.ip_src), COUNT(DISTINCT acid_event.ip_dst)
FROM acid_event    WHERE   acid_event.sid > 0
AND (  ( ip_dst=2886747080 )   )
SELECT COUNT(DISTINCT acid_event.layer4_sport),  COUNT(DISTINCT
acid_event.layer4_dport) FROM acid_event    WHERE
   acid_event.sid > 0 AND (  ( ip_dst=2886747080 )   )
SELECT COUNT(DISTINCT acid_event.layer4_sport),  COUNT(DISTINCT
acid_event.layer4_dport) FROM acid_event    WHERE
   acid_event.sid > 0 AND (  ( ip_dst=2886747080 )   ) AND ip_proto=6
SELECT COUNT(DISTINCT acid_event.layer4_sport),  COUNT(DISTINCT
acid_event.layer4_dport) FROM acid_event    WHERE
   acid_event.sid > 0 AND (  ( ip_dst=2886747080 )   ) AND ip_proto=17
SELECT sig_name FROM signature WHERE sig_id=108
SELECT ref_seq, ref_id FROM sig_reference WHERE sig_id=108
SELECT ref_system_id, ref_tag FROM reference WHERE ref_id=0
SELECT ref_system_name FROM reference_system WHERE ref_system_id=

--

Michael Scheidell
Florida Datamation, Inc.
scheidell at ...3799... 1+(561) 368-9561
Internet Security and Consulting
See updated IT Security News at http://www.fdma.com/
After system Compromise : http://www.cert.org/tech_tips/






More information about the Snort-users mailing list