[Snort-users] MYSQL Error on Windows XP snort install

Jacob Roberts jake_roberts at ...10077...
Wed Dec 3 08:15:03 EST 2003


Here is your Probem:
	sensor name = CVN72UFS01:\

Your sensor name has a backslash in it '\'.

In MySQL the backslash is a special character that escapes other special
characters so they can be used:
For example, the single quote (') character is special and cannot be
used in MySQL, but by escaping it with the backslash character like so
\' MySQL sees that you want to treat the ' as a normal character and not
by its special meaning.

So by having a \ in your sensor name its changing a ' to a non-special
character and messing up Snort SQL statement.  You should be able to fix
this problem by changing the sensor name in the snort.conf file.  You
specify the sensor name in the output plug line:
	output database: log, mysql, dbname=snort user=snortusr
host=mysql.domain.org password=goodpassword detail=full
sensor_name=mysnortsensor1

Snort really should and escape all the values it enters in the database
so errors like this won't occur.

I hope this solves your problem.

Jake



-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Bright,
Mark IT2
Sent: Tuesday, December 02, 2003 8:35 PM
To: 'snort-users at lists.sourceforge.net'
Subject: RE: [Snort-users] MYSQL Error on Windows XP snort install


I don't have an account with Winsnort so I'm not quite sure what you
mean by
master and slave sensors. I'm running a Win2k Professional box with
MySQL
4.0.15 and ACID v0.9.6b23 (schema v106) as my central logging server. I
have
5 sensors mostly on NT Server machines running Snort v2.0.5 successfully
logging to MySQL, 2 error'ing out with the same problem (Posted below).
So
far I've tried to re-install Snort, upgrade it, use root as well as
snort
users, checked and re-checked permissions, and checked and re-checked my
snort.conf file. I've found quite a few posts to the snort-users list
regarding this error but haven't seen a fix. I also e-mailed Mr. Danyliw
and
I'm awaiting to hear his input. There have been some posts that point
the
cause at the sensor name. If that's the case, I really don't know how to
fix
it. I'm leaning in the direction of a permissions problem, but from what
I
can tell, they look just fine, and my other sensors work great. Any help
would be greatly appreciated...

Here's my error:

Here's my snort.conf output line:
output database: log, mysql, user=snort dbname=snort host=205.60.5.35

Here's the error from Snort:

database: compiled support for ( mysql odbc )
database: configured to use mysql
database: database name = snort
database:          user = snort
database:          host = 205.60.5.35
database:   sensor name = CVN72UFS01:\
database: mysql_error: You have an error in your SQL syntax.  Check the
manual t
hat corresponds to your MySQL server version for the right syntax to use
near '\
' AND detail = '1' AND encoding = '0' AND filter IS NULL' at l
database: mysql_error: You have an error in your SQL syntax.  Check the
manual t
hat corresponds to your MySQL server version for the right syntax to use
near '\
','1','0', '0')' at line 1
SQL=INSERT INTO sensor (hostname, interface, detail, encoding, last_cid)
VALUES
('CVN72UFS01:\','\','1','0', '0')
database: mysql_error: You have an error in your SQL syntax.  Check the
manual t
hat corresponds to your MySQL server version for the right syntax to use
near '\
' AND detail = '1' AND encoding = '0' AND filter IS NULL' at l
database: Problem obtaining SENSOR ID (sid) from Snort->sensor
ERROR:
 When this plugin starts, a SELECT query is run to find the sensor id
for
the
 currently running sensor. If the sensor id is not found, the plugin
will
run
 an INSERT query to insert the proper data and generate a new sensor id.
Then a
 SELECT query is run to get the newly allocated sensor id. If that fails
then
 this error message is generated.

 Some possible causes for this error are:
  * the user does not have proper INSERT or SELECT privileges
  * the sensor table does not exist

 If you are _absolutely_ certain that you have the proper privileges set
and
 that your database structure is built properly please let me know if
you
 continue to get this error. You can contact me at (roman at ...438...).

~Mark

-----Original Message-----
From: Michael Steele [mailto:michaels at ...9077...]
Sent: Tuesday, December 02, 2003 6:26 PM
To: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] MYSQL Error on Windows XP snort install


Watch cloning them unless you change SID. You'll run into problems if
they
are on the same network.

Looks like some of this message went private so it looks very strange.

I'm taking it that you are logging from a Master sensor to a Slave
sensor
all on the same network.

Did you follow the guide for a Master sensor on the WINSNORT.com site?

Did you follow the guide for a Slave sensor on the WINSNORT.com site?

What sanity checks have you preformed to make sure that connectivity is
there between the master and slave?

Do you have working slaves on the Master but one or more fails after a
stock
installation?

Cheers...

-The WINSNORT.com Management Team
-- 
 Pick up your FREE Windows or UNIX Snort installation guides       
 mailto:support at ...9077...
 Website: http://www.winsnort.com
 Snort: Open Source Network IDS - http://www.snort.org

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-
> admin at lists.sourceforge.net] On Behalf Of Bright, Mark IT2
> Sent: Tuesday, December 02, 2003 4:48 PM
> To: 'Tim'
> Cc: 'snort-users at lists.sourceforge.net'
> Subject: RE: [Snort-users] MYSQL Error on Windows XP snort install
> 
> No can do. They're production servers with different uses. I'm digging
> through the Snort-Users archives and I'm finding a bunch of folks with
> this
> same error, all without a fix. How could an error with this kind of
> documentation not been resolved yet? I'm willing to bet someone's
figured
> it
> out, just hasn't spilled the beans yet. I'll keep ya' posted...
> 
> ~Mark
> 
> -----Original Message-----
> From: Tim [mailto:tim0707 at ...5068...]
> Sent: Tuesday, December 02, 2003 3:29 PM
> To: Bright, Mark IT2
> Subject: Re: [Snort-users] MYSQL Error on Windows XP snort install
> 
> 
> Mark,
> 
> If that were me and I had 5 good and two bad, I would clone one of the
> good
> ones and change the name and IP (stuff like that).   That should work
for
> you.  I know that's the easy way out, but....
> 
> Later,
> Tim
> ----- Original Message -----
> From: "Bright, Mark IT2" <mbrigh at ...4252...>
> To: "'Tim'" <tim0707 at ...5068...>
> Sent: Tuesday, December 02, 2003 6:21 PM
> Subject: RE: [Snort-users] MYSQL Error on Windows XP snort install
> 
> 
> > Tim,
> >
> > I still haven't got it working yet. I have 5 sensors reporting just
fine
> but
> > 2 keep error'ing out. I've obviously checked and rechecked the
database
> > permissions time and time again. They look good to me. I tried using
> root
> > rather than the snort user = failed. I tried re-installing Snort =
> failed.
> I
> > tried upgrading to the latest version of Snort = failed. I'm pretty
> stuck,
> > man. I'm going to e-mail Roman again and see what happens. It
usually
> takes
> > him a few days to respond so I'll just keep diggin' 'til then.
Thanks
> for
> > the heads up on the website. Take it easy,
> >
> > ~Mark
> >
> > -----Original Message-----
> > From: Tim [mailto:tim0707 at ...5068...]
> > Sent: Monday, December 01, 2003 2:16 PM
> > To: Bright, Mark IT2
> > Subject: Re: [Snort-users] MYSQL Error on Windows XP snort install
> >
> >
> > Mark,
> >
> > Check out www.winsnort.com.  They have some documentation that
should
> help.
> > I've looked it over, but haven't had a chance to try it out.  You
have
> to
> > create an account to get access to the docs.
> >
> > The Lincoln, huh?  I just got out of the Navy 1 month ago.  I was
> stationed
> > onboard the USS PORTER (DDG-78).  I thought you guys ran RealSecure
> onboard
> > CVN's?
> >
> > Let me know if you get it working.
> >
> > Tim
> > ----- Original Message -----
> > From: "Bright, Mark IT2" <mbrigh at ...4252...>
> > To: "'Tim'" <tim0707 at ...5068...>
> > Sent: Monday, December 01, 2003 11:02 AM
> > Subject: RE: [Snort-users] MYSQL Error on Windows XP snort install
> >
> >
> > > I'm getting this same error on two of my sensors. I e-mailed Roman
and
> the
> > > Snort list and still haven't heard a solution. If you get a fix
for
> this,
> > > please post it to the list. I'm thinking about creating another
user
> and
> > > assigning the appropriate permissions and seeing if that works.
I'm
> > running
> > > snort on NT Server and recording to a MySQL database on a remote
Win2k
> > > machine. Thanks for posting...
> > >
> > > ~Mark
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Tim [mailto:tim0707 at ...5068...]
> > > Sent: Friday, November 28, 2003 8:37 AM
> > > To: snort-users at lists.sourceforge.net
> > > Subject: [Snort-users] MYSQL Error on Windows XP snort install
> > >
> > >
> > > I'm setting up a Windows XP box with snort, ACID and MYSQL. I've
> gotten
> > > everything running good, but when I go to run snort, I get the
> following
> > > error.
> > >
> > >
> > > I'm running MYSQL version 4.0.16 and snort version 2.0.5.
> > >
> > > I followed the instructions in
> > http://www.snort.org/docs/snort_acid_rh9.pdf
> > > posted on the snort website to set up MYSQL.  Everything went
alright
> with
> > > the MYSQL install.  I've checked all of the permissions on MYSQL
and I
> > have
> > > the right user and permissions there.   All of the tables and are
> created.
> > > I checked using the SHOW TABLES command.  If anyone has run into
this
> > > problem before, I would appreciate the help.
> > >
> > > If you're wondering why I'm installing all of this on a Windows XP
> box,
> > > well...  just to pass the time, I guess... : )
> > >
> > > Thanks,
> > > Tim
> > >
> >
> >
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by OSDN's Audience Survey.
> Help shape OSDN's sites and tell us what you think. Take this
> five minute survey and you could win a $250 Gift Certificate.
> http://www.wrgsurveys.com/2003/osdntech03.php?site=8
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
http://www.wrgsurveys.com/2003/osdntech03.php?site=8
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
http://www.wrgsurveys.com/2003/osdntech03.php?site=8
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list