[Snort-users] snort+acid and URL references problem

roman at ...438... roman at ...438...
Fri Oct 12 11:00:08 EDT 2001


Upgrade to database schema v104 and ACID 0.9.6b16

Roman

On Fri, 12 Oct 2001, Michael Scheidell wrote:

> Database ERROR:You have an error in your SQL syntax near '' at line 1
> 
> Given the following:
> 
> snort rule with reference
> (the misc-web nimda worm 'readme.eml' attempt)
> 
> reference:url,(well, anything)
> 
> /var/log message gives this error when attempting to log to mysql database
> schema 103:
> 
> Unable to insert the alert reference
> 
> SECOND insert works, but acid still won't display the results.
> 
> sql log shows this sql attempt and any attempt to search for the specific ip
> address gives same error.
> 
> 
> SELECT COUNT(DISTINCT acid_event.sid) FROM acid_event    WHERE
> acid_event.sid > 0 AND (  ( ip_dst=2886747080 )   )
> SELECT COUNT(DISTINCT acid_event.signature) FROM acid_event    WHERE
> acid_event.sid > 0 AND (  ( ip_dst=2886747080 )   )
> SELECT COUNT(acid_event.sid) FROM acid_event    WHERE   acid_event.sid > 0
> AND (  ( ip_dst=2886747080 )   )
> SELECT COUNT(DISTINCT acid_event.ip_src), COUNT(DISTINCT acid_event.ip_dst)
> FROM acid_event    WHERE   acid_event.sid > 0
> AND (  ( ip_dst=2886747080 )   )
> SELECT COUNT(DISTINCT acid_event.layer4_sport),  COUNT(DISTINCT
> acid_event.layer4_dport) FROM acid_event    WHERE
>    acid_event.sid > 0 AND (  ( ip_dst=2886747080 )   )
> SELECT COUNT(DISTINCT acid_event.layer4_sport),  COUNT(DISTINCT
> acid_event.layer4_dport) FROM acid_event    WHERE
>    acid_event.sid > 0 AND (  ( ip_dst=2886747080 )   ) AND ip_proto=6
> SELECT COUNT(DISTINCT acid_event.layer4_sport),  COUNT(DISTINCT
> acid_event.layer4_dport) FROM acid_event    WHERE
>    acid_event.sid > 0 AND (  ( ip_dst=2886747080 )   ) AND ip_proto=17
> SELECT sig_name FROM signature WHERE sig_id=108
> SELECT ref_seq, ref_id FROM sig_reference WHERE sig_id=108
> SELECT ref_system_id, ref_tag FROM reference WHERE ref_id=0
> SELECT ref_system_name FROM reference_system WHERE ref_system_id=
> 
> --
> 
> Michael Scheidell
> Florida Datamation, Inc.
> scheidell at ...3799... 1+(561) 368-9561
> Internet Security and Consulting
> See updated IT Security News at http://www.fdma.com/
> After system Compromise : http://www.cert.org/tech_tips/
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 



---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/






More information about the Snort-users mailing list