[Snort-users] MYSQL Error on Windows XP snort install

Bright, Mark IT2 mbrigh at ...4252...
Tue Dec 2 19:37:00 EST 2003


I don't have an account with Winsnort so I'm not quite sure what you mean by
master and slave sensors. I'm running a Win2k Professional box with MySQL
4.0.15 and ACID v0.9.6b23 (schema v106) as my central logging server. I have
5 sensors mostly on NT Server machines running Snort v2.0.5 successfully
logging to MySQL, 2 error'ing out with the same problem (Posted below). So
far I've tried to re-install Snort, upgrade it, use root as well as snort
users, checked and re-checked permissions, and checked and re-checked my
snort.conf file. I've found quite a few posts to the snort-users list
regarding this error but haven't seen a fix. I also e-mailed Mr. Danyliw and
I'm awaiting to hear his input. There have been some posts that point the
cause at the sensor name. If that's the case, I really don't know how to fix
it. I'm leaning in the direction of a permissions problem, but from what I
can tell, they look just fine, and my other sensors work great. Any help
would be greatly appreciated...

Here's my error:

Here's my snort.conf output line:
output database: log, mysql, user=snort dbname=snort host=205.60.5.35

Here's the error from Snort:

database: compiled support for ( mysql odbc )
database: configured to use mysql
database: database name = snort
database:          user = snort
database:          host = 205.60.5.35
database:   sensor name = CVN72UFS01:\
database: mysql_error: You have an error in your SQL syntax.  Check the
manual t
hat corresponds to your MySQL server version for the right syntax to use
near '\
' AND detail = '1' AND encoding = '0' AND filter IS NULL' at l
database: mysql_error: You have an error in your SQL syntax.  Check the
manual t
hat corresponds to your MySQL server version for the right syntax to use
near '\
','1','0', '0')' at line 1
SQL=INSERT INTO sensor (hostname, interface, detail, encoding, last_cid)
VALUES
('CVN72UFS01:\','\','1','0', '0')
database: mysql_error: You have an error in your SQL syntax.  Check the
manual t
hat corresponds to your MySQL server version for the right syntax to use
near '\
' AND detail = '1' AND encoding = '0' AND filter IS NULL' at l
database: Problem obtaining SENSOR ID (sid) from Snort->sensor
ERROR:
 When this plugin starts, a SELECT query is run to find the sensor id for
the
 currently running sensor. If the sensor id is not found, the plugin will
run
 an INSERT query to insert the proper data and generate a new sensor id.
Then a
 SELECT query is run to get the newly allocated sensor id. If that fails
then
 this error message is generated.

 Some possible causes for this error are:
  * the user does not have proper INSERT or SELECT privileges
  * the sensor table does not exist

 If you are _absolutely_ certain that you have the proper privileges set and
 that your database structure is built properly please let me know if you
 continue to get this error. You can contact me at (roman at ...438...).

~Mark

-----Original Message-----
From: Michael Steele [mailto:michaels at ...9077...]
Sent: Tuesday, December 02, 2003 6:26 PM
To: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] MYSQL Error on Windows XP snort install


Watch cloning them unless you change SID. You'll run into problems if they
are on the same network.

Looks like some of this message went private so it looks very strange.

I'm taking it that you are logging from a Master sensor to a Slave sensor
all on the same network.

Did you follow the guide for a Master sensor on the WINSNORT.com site?

Did you follow the guide for a Slave sensor on the WINSNORT.com site?

What sanity checks have you preformed to make sure that connectivity is
there between the master and slave?

Do you have working slaves on the Master but one or more fails after a stock
installation?

Cheers...

-The WINSNORT.com Management Team
-- 
 Pick up your FREE Windows or UNIX Snort installation guides       
 mailto:support at ...9077...
 Website: http://www.winsnort.com
 Snort: Open Source Network IDS - http://www.snort.org

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-
> admin at lists.sourceforge.net] On Behalf Of Bright, Mark IT2
> Sent: Tuesday, December 02, 2003 4:48 PM
> To: 'Tim'
> Cc: 'snort-users at lists.sourceforge.net'
> Subject: RE: [Snort-users] MYSQL Error on Windows XP snort install
> 
> No can do. They're production servers with different uses. I'm digging
> through the Snort-Users archives and I'm finding a bunch of folks with
> this
> same error, all without a fix. How could an error with this kind of
> documentation not been resolved yet? I'm willing to bet someone's figured
> it
> out, just hasn't spilled the beans yet. I'll keep ya' posted...
> 
> ~Mark
> 
> -----Original Message-----
> From: Tim [mailto:tim0707 at ...5068...]
> Sent: Tuesday, December 02, 2003 3:29 PM
> To: Bright, Mark IT2
> Subject: Re: [Snort-users] MYSQL Error on Windows XP snort install
> 
> 
> Mark,
> 
> If that were me and I had 5 good and two bad, I would clone one of the
> good
> ones and change the name and IP (stuff like that).   That should work for
> you.  I know that's the easy way out, but....
> 
> Later,
> Tim
> ----- Original Message -----
> From: "Bright, Mark IT2" <mbrigh at ...4252...>
> To: "'Tim'" <tim0707 at ...5068...>
> Sent: Tuesday, December 02, 2003 6:21 PM
> Subject: RE: [Snort-users] MYSQL Error on Windows XP snort install
> 
> 
> > Tim,
> >
> > I still haven't got it working yet. I have 5 sensors reporting just fine
> but
> > 2 keep error'ing out. I've obviously checked and rechecked the database
> > permissions time and time again. They look good to me. I tried using
> root
> > rather than the snort user = failed. I tried re-installing Snort =
> failed.
> I
> > tried upgrading to the latest version of Snort = failed. I'm pretty
> stuck,
> > man. I'm going to e-mail Roman again and see what happens. It usually
> takes
> > him a few days to respond so I'll just keep diggin' 'til then. Thanks
> for
> > the heads up on the website. Take it easy,
> >
> > ~Mark
> >
> > -----Original Message-----
> > From: Tim [mailto:tim0707 at ...5068...]
> > Sent: Monday, December 01, 2003 2:16 PM
> > To: Bright, Mark IT2
> > Subject: Re: [Snort-users] MYSQL Error on Windows XP snort install
> >
> >
> > Mark,
> >
> > Check out www.winsnort.com.  They have some documentation that should
> help.
> > I've looked it over, but haven't had a chance to try it out.  You have
> to
> > create an account to get access to the docs.
> >
> > The Lincoln, huh?  I just got out of the Navy 1 month ago.  I was
> stationed
> > onboard the USS PORTER (DDG-78).  I thought you guys ran RealSecure
> onboard
> > CVN's?
> >
> > Let me know if you get it working.
> >
> > Tim
> > ----- Original Message -----
> > From: "Bright, Mark IT2" <mbrigh at ...4252...>
> > To: "'Tim'" <tim0707 at ...5068...>
> > Sent: Monday, December 01, 2003 11:02 AM
> > Subject: RE: [Snort-users] MYSQL Error on Windows XP snort install
> >
> >
> > > I'm getting this same error on two of my sensors. I e-mailed Roman and
> the
> > > Snort list and still haven't heard a solution. If you get a fix for
> this,
> > > please post it to the list. I'm thinking about creating another user
> and
> > > assigning the appropriate permissions and seeing if that works. I'm
> > running
> > > snort on NT Server and recording to a MySQL database on a remote Win2k
> > > machine. Thanks for posting...
> > >
> > > ~Mark
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Tim [mailto:tim0707 at ...5068...]
> > > Sent: Friday, November 28, 2003 8:37 AM
> > > To: snort-users at lists.sourceforge.net
> > > Subject: [Snort-users] MYSQL Error on Windows XP snort install
> > >
> > >
> > > I'm setting up a Windows XP box with snort, ACID and MYSQL. I've
> gotten
> > > everything running good, but when I go to run snort, I get the
> following
> > > error.
> > >
> > >
> > > I'm running MYSQL version 4.0.16 and snort version 2.0.5.
> > >
> > > I followed the instructions in
> > http://www.snort.org/docs/snort_acid_rh9.pdf
> > > posted on the snort website to set up MYSQL.  Everything went alright
> with
> > > the MYSQL install.  I've checked all of the permissions on MYSQL and I
> > have
> > > the right user and permissions there.   All of the tables and are
> created.
> > > I checked using the SHOW TABLES command.  If anyone has run into this
> > > problem before, I would appreciate the help.
> > >
> > > If you're wondering why I'm installing all of this on a Windows XP
> box,
> > > well...  just to pass the time, I guess... : )
> > >
> > > Thanks,
> > > Tim
> > >
> >
> >
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by OSDN's Audience Survey.
> Help shape OSDN's sites and tell us what you think. Take this
> five minute survey and you could win a $250 Gift Certificate.
> http://www.wrgsurveys.com/2003/osdntech03.php?site=8
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
http://www.wrgsurveys.com/2003/osdntech03.php?site=8
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list