[Snort-users] MYSQL Error on Windows XP snort install

Jim Brown jpb at ...10281...
Tue Dec 2 20:13:02 EST 2003


* Bright, Mark IT2 <mbrigh at ...4252...> [2003-12-02 22:38]:
> I don't have an account with Winsnort so I'm not quite sure what you mean by
> master and slave sensors. I'm running a Win2k Professional box with MySQL
> 4.0.15 and ACID v0.9.6b23 (schema v106) as my central logging server. I have
> 5 sensors mostly on NT Server machines running Snort v2.0.5 successfully
> logging to MySQL, 2 error'ing out with the same problem (Posted below). So
> far I've tried to re-install Snort, upgrade it, use root as well as snort
> users, checked and re-checked permissions, and checked and re-checked my
> snort.conf file. I've found quite a few posts to the snort-users list
> regarding this error but haven't seen a fix. I also e-mailed Mr. Danyliw and
> I'm awaiting to hear his input. There have been some posts that point the
> cause at the sensor name. If that's the case, I really don't know how to fix
> it. I'm leaning in the direction of a permissions problem, but from what I
> can tell, they look just fine, and my other sensors work great. Any help
> would be greatly appreciated...
> 
> Here's my error:
> 
> Here's my snort.conf output line:
> output database: log, mysql, user=snort dbname=snort host=205.60.5.35
> 
> Here's the error from Snort:
> 
> database: compiled support for ( mysql odbc )
> database: configured to use mysql
> database: database name = snort
> database:          user = snort
> database:          host = 205.60.5.35
> database:   sensor name = CVN72UFS01:\
> database: mysql_error: You have an error in your SQL syntax.  Check the
> manual t
> hat corresponds to your MySQL server version for the right syntax to use
> near '\
> ' AND detail = '1' AND encoding = '0' AND filter IS NULL' at l
> database: mysql_error: You have an error in your SQL syntax.  Check the
> manual t
> hat corresponds to your MySQL server version for the right syntax to use
> near '\
> ','1','0', '0')' at line 1
> SQL=INSERT INTO sensor (hostname, interface, detail, encoding, last_cid)
> VALUES
> ('CVN72UFS01:\','\','1','0', '0')
> database: mysql_error: You have an error in your SQL syntax.  Check the
> manual t
> hat corresponds to your MySQL server version for the right syntax to use
> near '\
> ' AND detail = '1' AND encoding = '0' AND filter IS NULL' at l
> database: Problem obtaining SENSOR ID (sid) from Snort->sensor
> ERROR:
>  When this plugin starts, a SELECT query is run to find the sensor id for
> the
>  currently running sensor. If the sensor id is not found, the plugin will
> run
>  an INSERT query to insert the proper data and generate a new sensor id.
> Then a
>  SELECT query is run to get the newly allocated sensor id. If that fails
> then
>  this error message is generated.
> 
>  Some possible causes for this error are:
>   * the user does not have proper INSERT or SELECT privileges
>   * the sensor table does not exist
> 
>  If you are _absolutely_ certain that you have the proper privileges set and
>  that your database structure is built properly please let me know if you
>  continue to get this error. You can contact me at (roman at ...438...).
> 
> ~Mark
> 



Disclaimer- I don't run ACID and never have.  So what I'm about
to say could be a total crock of, uh, stuff. I do know a fair
amount of SQL however.

I'm looking at the line:

  SQL=INSERT INTO sensor (hostname, interface, detail, encoding, last_cid)
  VALUES
  ('CVN72UFS01:\','\','1','0', '0')
               ^^
      
and what I see is an escaped single quote which is very likely
throwing the SQL parser off.  Try either a double backslash or 
renaming without the single backslash- i.e.

 ('CVN72UFS01:\\','\','1','0', '0')

or

 ('CVN72UFS01:','\','1','0', '0')



In fact, you should be able to test this directly in the MySQL 
monitor.

If you get a similar error on the next escaped backslash
try:

 ('CVN72UFS01:\\','\\','1','0', '0')



Best Regards,
jpb
===





More information about the Snort-users mailing list