[Snort-users] ACID errors

pbsarnac at ...1799... pbsarnac at ...1799...
Tue Sep 25 14:59:01 EDT 2001


No go, however when I was poking through my new acid_conf.php, I saw the
debug options (doh! should have looked there first!). I turned on debugging
and sql logging. Here's what pops up. Does it mean anything to anyone? ( I
removed the 'Meta Criteria' box and the table headers for fear that my
email server would mangle them oubound. If you feel that they might be
important, let me know and I'll attach a screenshot.

         URL: '/acid/acid_qry_main.php' (referred by:
'http://sumadre.thoughtworks.com/acid/acid_qry_main.php?new=1')
         PARAMETERS: ''
         CLIENT: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.3)
Gecko/20010801
         SERVER: Apache/1.3.20 (Unix) PHP/4.0.6
         SERVER HW: Linux sumadre.thoughtworks.com 2.4.2-2 #1 Sun Apr 8
20:41:30 EDT 2001 i686 unknown
         DATABASE TYPE: mysql  DB ABSTRACTION VERSION:
         PHP VERSION: 4.0.6  PHP API: apache
         SESSION ID: 78c4723428cf46d757dcef531aba1fee

Checking for DB abstraction lib in '/home/httpd/html/adodb/adodb.inc.php'
sensor #1: event.cid = 19203, acid_event.cid = 19203
sensor #2: event.cid = 230, acid_event.cid = 230
sensor #3: event.cid = 14931, acid_event.cid = 14931
sensor #4: event.cid = 0, acid_event.cid = 0
Added 0 alert(s) to the Alert cache








        new: '1'
        submit: 'Query DB'
        sort_order: ''
        num_result_rows: '-1'  current_view: '-1'
        layer4: ''  caller: ''
        action: ''  action_arg: ''

Initial/Canned Query or Sort Clicked


SQL (save_sql): SELECT acid_event.sid, acid_event.cid, signature,
timestamp, ip_src, ip_dst, ip_proto FROM acid_event WHERE acid_event.sid >
0 AND sig_name LIKE '%WEB-MISC readme.eml attempt%' AND ( ( YEAR(timestamp)
= 2001 AND MONTH(timestamp) = 09 AND DAYOFMONTH(timestamp) = 25 ) )
Valid Canned Query List


Array
(
    [last_tcp] => Array
        (
            [0] => 15
            [1] => Last TCP
            [2] => time_d
        )

    [last_udp] => Array
        (
            [0] => 15
            [1] => Last UDP Alerts
            [2] => time_d
        )

    [last_icmp] => Array
        (
            [0] => 15
            [1] => Last ICMP Alerts
            [2] => time_d
        )

    [last_any] => Array
        (
            [0] => 15
            [1] => Last Alerts
            [2] => time_d
        )

)

Query State
caller = ''
num_result_rows = '1'
sort_order = ''
current_view = '0'
action_arg = ''
action = ''
SELECT acid_event.sid, acid_event.cid, signature, timestamp, ip_src,
ip_dst, ip_proto FROM acid_event WHERE acid_event.sid > 0 AND sig_name LIKE
'%WEB-MISC readme.eml attempt%' AND ( ( YEAR(timestamp) = 2001 AND
MONTH(timestamp) = 09 AND DAYOFMONTH(timestamp) = 25 ) )


                     Displaying alerts 1-1 of 1 total

Database ERROR:You have an error in your SQL syntax near '' at line 1


SELECT ref_system_name FROM reference_system WHERE ref_system_id=








|--------+--------------------------------------->
|        |          Steve Halligan               |
|        |          <agent33 at ...187...>      |
|        |          Sent by:                     |
|        |          snort-users-admin at ...635...|
|        |          eforge.net                   |
|        |                                       |
|        |                                       |
|        |          09/25/2001 04:15 PM          |
|        |                                       |
|--------+--------------------------------------->
  >----------------------------------------------------------------------------------------------------|
  |                                                                                                    |
  |      To:     "'snort-users at lists.sourceforge.net'" <snort-users at lists.sourceforge.net>             |
  |      cc:                                                                                           |
  |      Subject:     RE: [Snort-users] ACID errors                                                    |
  >----------------------------------------------------------------------------------------------------|




If this is accurate and you are using ACID v0.9.6b1, you should upgrade to
a
newer version.  It is up to v0.9.6b16 in CVS and b15 in tarball.
-steve


>
> Snort Version 1.8.1-RELEASE (Build 74)
> ACID v0.9.6b1
>
> These are the signatures (from the snort.sourcefire.com ruleset):
> web-misc.rules:alert tcp $EXTERNAL_NET 80 -> $HOME_NET any
> (msg:"WEB-MISC
> readme.eml autoload attempt"; flags:A+; content:"window.open
> (\"readme.eml\""; nocase; classtype:attempted-user; sid:1290; rev:3;
> reference:url,www.cert.org/advisories/CA-2001-26.html;)
> web-misc.rules:alert tcp $EXTERNAL_NET 80 -> $HOME_NET any
> (msg:"WEB-MISC
> readme.eml attempt"; flags:A+; uricontent:"readme.eml"; nocase;
> classtype:attempted-user; sid:1284; rev:3;
> reference:url,www.cert.org/advisories/CA-2001-26.html;)
>
> Any help is greatly appreciated!
>
> Thanks,
> pat s.
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users







More information about the Snort-users mailing list