[Snort-users] Additional debugging information: Query executi on error: Database ERROR:Unknown column 'ip_src0' in 'field list'

Bruce Platt Bruce at ...2105...
Sat Feb 16 07:50:03 EST 2002


My error!

I had inadvertantly overwritten the b20 version with the old version. I
figured it out this morning and rebuilt all.  It now wotks fine!

Thanks for the help and your great work on acid!

Regards

-----Original Message-----
From: Roman Danyliw [mailto:roman at ...438...]
Sent: Saturday, February 16, 2002 10:38 AM
To: Bruce Platt
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Additional debugging information: Query
execution error: Database ERROR:Unknown column 'ip_src0' in 'field list'


All the extra debug information is helpful.

However, could you please verify that you upgraded to v0.9.6b20.  No version
of
ACID past 0.9.6b16 makes any reference to the fields ip_src0-3 or ip_dst0-3.

Roman

On Fri, 15 Feb 2002 17:09:03 -0500, Bruce Platt <Bruce at ...2105...> wrote :

> I set $debug_mode=1 in acid_conf.php, and here is the additional debugging
> info produced when this error occurs:
> 
> importing GET var 'submit'
> importing GET var 'current_view'
> importing GET var 'num_result_rows'
> 
> Warning: Cannot send session cache limiter - headers already sent (output
> started at /var/www/html/acid/acid_common.php:273) in
> /var/www/html/acid/acid_common.php on line 125
> Session Registered
> importing GET var 'time'
> 
> Checking for DB abstraction lib in '/var/www/html/acid/adodb.inc.php'
> 
> 
>          URL: '/acid/acid_pkt_main.php' (refered by:
> 'http://webserver/acid/acid_main.php')
>          PARAMETERS:
>
'&num_result_rows=-1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=+&submit=Query+
> DB¤t_view=-1'
>          CLIENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;
T312461;
> Q312461)
>          SERVER: Apache/1.3.12 (Unix)  (Red Hat/Linux) mod_ssl/2.6.6
> OpenSSL/0.9.5a DAV/1.0.1 PHP/4.0.5 mod_perl/1.24 
>          DATABASE TYPE: mysql
>          PHP VERSION: 4.0.5  DB ABSTRACTION VERSION: 
>          
>          new: ''   
>          submit: 'Query DB'
>          sort_order: ''
>          num_result_rows: '-1'  current_view: '-1'
>          layer4: ''
> 
> 
> time_cnt ip_addr_cnt ip_field_cnt tcp_port_cnt  tcp_field_cnt udp_port_cnt
> udp_field_cnt  icmp_field_cnt data_cnt 
> 0 0 0 0 0 0 0 0 0 
> caller = 
> action= 
> ag_add_key= 
> 
>
----------------------------------------------------------------------------
> ----
> 
> IP first 0 0 0 0 
> IP masking 0 0 0 0 = 0 
> IP back 0: 0 0 0 0 
> SQL (save_sql): SELECT event.sid, event.cid, signature, timestamp,
ip_src0,
> ip_src1, ip_src2, ip_src3, ip_dst0, ip_dst1, ip_dst2, ip_dst3, ip_proto
FROM
> event INNER JOIN iphdr ON event.sid=iphdr.sid AND event.cid=iphdr.cid
WHERE
> event.cid > 0Query execution error: Database ERROR:Unknown column
'ip_src0'
> in 'field list'
> 
> SELECT event.sid, event.cid, signature, timestamp, ip_src0, ip_src1,
> ip_src2, ip_src3, ip_dst0, ip_dst1, ip_dst2, ip_dst3, ip_proto FROM event
> LEFT JOIN iphdr ON event.sid=iphdr.sid AND event.cid=iphdr.cid WHERE
> event.cid > 0
> 
> 
> If I look at my iphdr table, there are only these fields defined:
> 
> mysql> desc iphdr;
> +----------+----------------------+------+-----+---------+-------+
> | Field    | Type                 | Null | Key | Default | Extra |
> +----------+----------------------+------+-----+---------+-------+
> | sid      | int(10) unsigned     |      | PRI | 0       |       |
> | cid      | int(10) unsigned     |      | PRI | 0       |       |
> | ip_src   | int(10) unsigned     |      | MUL | 0       |       |
> | ip_dst   | int(10) unsigned     |      | MUL | 0       |       |
> | ip_ver   | tinyint(3) unsigned  | YES  |     | NULL    |       |
> | ip_hlen  | tinyint(3) unsigned  | YES  |     | NULL    |       |
> | ip_tos   | tinyint(3) unsigned  | YES  |     | NULL    |       |
> | ip_len   | smallint(5) unsigned | YES  |     | NULL    |       |
> | ip_id    | smallint(5) unsigned | YES  |     | NULL    |       |
> | ip_flags | tinyint(3) unsigned  | YES  |     | NULL    |       |
> | ip_off   | smallint(5) unsigned | YES  |     | NULL    |       |
> | ip_ttl   | tinyint(3) unsigned  | YES  |     | NULL    |       |
> | ip_proto | tinyint(3) unsigned  |      |     | 0       |       |
> | ip_csum  | smallint(5) unsigned | YES  |     | NULL    |       |
> +----------+----------------------+------+-----+---------+-------+
> 
> This is for schema version 104 from the snort-stable which I downloaded
> yesterday.
> 
> I have seen posts where people clearly have 22 fields in ipheadr, the 14
> above plus ip_src0 - ip_src4 and ipdst0 - ip_dst4.
> 
> Where do these come from?  Where can I find the definition file to load
into
> mysql?
> 
> Any and all help greatly appreciated.
> 
> Regards,
> 
> Bruce
> 
> -----Original Message-----
> From: Bruce Platt [mailto:Bruce at ...2105...]
> Sent: Friday, February 15, 2002 1:12 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Query execution error: Database ERROR:Unknown
> column 'ip_src0' in 'field list'
> 
> 
> I now have yesterday's snort-stable running and logging happily to a mysql
> db. Using acid 0.9.6b20, I receive the following error when attempting to
> query db about alert details:
> 
> Database ERROR:Unknown column 'ip_src0' in 'field list'.  Similar error
for
> ip_dst0.
> 
> Looking at some posts using a google search suggests that last year there
> was some discussion related to b10 release of acid and the fact that not
all
> necessary code was committed.
> 
> Examining the snort-stable/contrib/create_mysql shows no fields labled
> ip_src0 in the definitions, however, there are clearly a field labeled
> ip_src in the iphdr table definition as well as ip_dst.
> 
> Have I left out an important step somewhere, should I have used some other
> version of create_mysql?
> 
> Thanks and regards
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> 




More information about the Snort-users mailing list