[Snort-users] ACID errors

roman at ...438... roman at ...438...
Wed Sep 26 21:04:03 EDT 2001


In addition to a migration to DB schema v104, some updates have been committed to CVS.  
Please give them a try.

Roman

On Tue, 25 Sep 2001 pbsarnac at ...1799... wrote:

> I'm getting the following error in ACID whenever I pull up any Unique
> Alerts or Most Recent Alerts or Frequent Alerts lists:
>
> Database ERROR:You have an error in your SQL syntax near '' at line 1
>
> By poking around in mysql, I've traced it to one of two signatures that we
> started seeing alerts on this morning. Whenever I do a search in ACID for
> readme.eml, I get the error, although searches for other signatures (such
> as "roughly ICMP") are fine. I'm not at all a SQL or php guy, so I'm
> stumped. Where do I troubleshoot from here?
>
> Snort Version 1.8.1-RELEASE (Build 74)
> ACID v0.9.6b1
>
> These are the signatures (from the snort.sourcefire.com ruleset):
> web-misc.rules:alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC
> readme.eml autoload attempt"; flags:A+; content:"window.open
> (\"readme.eml\""; nocase; classtype:attempted-user; sid:1290; rev:3;
> reference:url,www.cert.org/advisories/CA-2001-26.html;)
> web-misc.rules:alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC
> readme.eml attempt"; flags:A+; uricontent:"readme.eml"; nocase;
> classtype:attempted-user; sid:1284; rev:3;
> reference:url,www.cert.org/advisories/CA-2001-26.html;)
>
> Any help is greatly appreciated!
>
> Thanks,
> pat s.



---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/






More information about the Snort-users mailing list