[Snort-users] Additional debugging information: Query execution error: Database ERROR:Unknown column 'ip_src0' in 'field list'

Roman Danyliw roman at ...438...
Sat Feb 16 07:39:06 EST 2002


All the extra debug information is helpful.

However, could you please verify that you upgraded to v0.9.6b20.  No version of
ACID past 0.9.6b16 makes any reference to the fields ip_src0-3 or ip_dst0-3.

Roman

On Fri, 15 Feb 2002 17:09:03 -0500, Bruce Platt <Bruce at ...2105...> wrote :

> I set $debug_mode=1 in acid_conf.php, and here is the additional debugging
> info produced when this error occurs:
> 
> importing GET var 'submit'
> importing GET var 'current_view'
> importing GET var 'num_result_rows'
> 
> Warning: Cannot send session cache limiter - headers already sent (output
> started at /var/www/html/acid/acid_common.php:273) in
> /var/www/html/acid/acid_common.php on line 125
> Session Registered
> importing GET var 'time'
> 
> Checking for DB abstraction lib in '/var/www/html/acid/adodb.inc.php'
> 
> 
>          URL: '/acid/acid_pkt_main.php' (refered by:
> 'http://webserver/acid/acid_main.php')
>          PARAMETERS:
> '&num_result_rows=-1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=+&submit=Query+
> DB¤t_view=-1'
>          CLIENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; T312461;
> Q312461)
>          SERVER: Apache/1.3.12 (Unix)  (Red Hat/Linux) mod_ssl/2.6.6
> OpenSSL/0.9.5a DAV/1.0.1 PHP/4.0.5 mod_perl/1.24 
>          DATABASE TYPE: mysql
>          PHP VERSION: 4.0.5  DB ABSTRACTION VERSION: 
>          
>          new: ''   
>          submit: 'Query DB'
>          sort_order: ''
>          num_result_rows: '-1'  current_view: '-1'
>          layer4: ''
> 
> 
> time_cnt ip_addr_cnt ip_field_cnt tcp_port_cnt  tcp_field_cnt udp_port_cnt
> udp_field_cnt  icmp_field_cnt data_cnt 
> 0 0 0 0 0 0 0 0 0 
> caller = 
> action= 
> ag_add_key= 
> 
> ----------------------------------------------------------------------------
> ----
> 
> IP first 0 0 0 0 
> IP masking 0 0 0 0 = 0 
> IP back 0: 0 0 0 0 
> SQL (save_sql): SELECT event.sid, event.cid, signature, timestamp, ip_src0,
> ip_src1, ip_src2, ip_src3, ip_dst0, ip_dst1, ip_dst2, ip_dst3, ip_proto FROM
> event INNER JOIN iphdr ON event.sid=iphdr.sid AND event.cid=iphdr.cid WHERE
> event.cid > 0Query execution error: Database ERROR:Unknown column 'ip_src0'
> in 'field list'
> 
> SELECT event.sid, event.cid, signature, timestamp, ip_src0, ip_src1,
> ip_src2, ip_src3, ip_dst0, ip_dst1, ip_dst2, ip_dst3, ip_proto FROM event
> LEFT JOIN iphdr ON event.sid=iphdr.sid AND event.cid=iphdr.cid WHERE
> event.cid > 0
> 
> 
> If I look at my iphdr table, there are only these fields defined:
> 
> mysql> desc iphdr;
> +----------+----------------------+------+-----+---------+-------+
> | Field    | Type                 | Null | Key | Default | Extra |
> +----------+----------------------+------+-----+---------+-------+
> | sid      | int(10) unsigned     |      | PRI | 0       |       |
> | cid      | int(10) unsigned     |      | PRI | 0       |       |
> | ip_src   | int(10) unsigned     |      | MUL | 0       |       |
> | ip_dst   | int(10) unsigned     |      | MUL | 0       |       |
> | ip_ver   | tinyint(3) unsigned  | YES  |     | NULL    |       |
> | ip_hlen  | tinyint(3) unsigned  | YES  |     | NULL    |       |
> | ip_tos   | tinyint(3) unsigned  | YES  |     | NULL    |       |
> | ip_len   | smallint(5) unsigned | YES  |     | NULL    |       |
> | ip_id    | smallint(5) unsigned | YES  |     | NULL    |       |
> | ip_flags | tinyint(3) unsigned  | YES  |     | NULL    |       |
> | ip_off   | smallint(5) unsigned | YES  |     | NULL    |       |
> | ip_ttl   | tinyint(3) unsigned  | YES  |     | NULL    |       |
> | ip_proto | tinyint(3) unsigned  |      |     | 0       |       |
> | ip_csum  | smallint(5) unsigned | YES  |     | NULL    |       |
> +----------+----------------------+------+-----+---------+-------+
> 
> This is for schema version 104 from the snort-stable which I downloaded
> yesterday.
> 
> I have seen posts where people clearly have 22 fields in ipheadr, the 14
> above plus ip_src0 - ip_src4 and ipdst0 - ip_dst4.
> 
> Where do these come from?  Where can I find the definition file to load into
> mysql?
> 
> Any and all help greatly appreciated.
> 
> Regards,
> 
> Bruce
> 
> -----Original Message-----
> From: Bruce Platt [mailto:Bruce at ...2105...]
> Sent: Friday, February 15, 2002 1:12 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Query execution error: Database ERROR:Unknown
> column 'ip_src0' in 'field list'
> 
> 
> I now have yesterday's snort-stable running and logging happily to a mysql
> db. Using acid 0.9.6b20, I receive the following error when attempting to
> query db about alert details:
> 
> Database ERROR:Unknown column 'ip_src0' in 'field list'.  Similar error for
> ip_dst0.
> 
> Looking at some posts using a google search suggests that last year there
> was some discussion related to b10 release of acid and the fact that not all
> necessary code was committed.
> 
> Examining the snort-stable/contrib/create_mysql shows no fields labled
> ip_src0 in the definitions, however, there are clearly a field labeled
> ip_src in the iphdr table definition as well as ip_dst.
> 
> Have I left out an important step somewhere, should I have used some other
> version of create_mysql?
> 
> Thanks and regards
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> 




More information about the Snort-users mailing list