[Snort-users] MYSQL Error on Windows XP snort install

Bright, Mark IT2 mbrigh at ...4252...
Wed Dec 3 12:25:01 EST 2003

I've confirmed that the sensor name is not the issue (at least in my
situation). I have changed it numerous times to no avail. After taking a
second look at the error that's given, it looks like the SQL statement AFTER
the sensor name is the issue. I still have no idea how to fix it though...


-----Original Message-----
From: snortmail [mailto:snortmail at ...10527...]
Sent: Wednesday, December 03, 2003 9:01 AM
To: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] MYSQL Error on Windows XP snort install

I'm on a Win2K Box - and experiencing the same issues with mySQL - I've also
run snort to log to a MSSQL under the exact conditions and it goes through
fine...the correspondence below is from the beginning of last month.
Changing the sensor name does not fix the problem - there continues to be an
issue with the interface name - it's just that the sensor name was hitting
an error first.  If anyone has further insight into this issue - it would be
appreciated.   I've been struggling to find any help because most people
think that I'm not configuring my permissions properly.  This is the first
time in awhile that so many people are having the same concern - please
forward your issues to Roman - as I have no choice but to stay on a Windows
platform and therefore can't modify the snort executable.


- Mike

-----Original Message-----
From: Mike Couch 
Sent: Thursday, November 13, 2003 1:37 PM
To: 'roman at ...438...'
Subject: snort & slashes with mysql

MySQL, Windows, Snort 2.04 - interface call returns a '/' in spo_database.c
near line 320 this is the escape character in mySQL syntax

DB structure and permissions are totally fine


- Mike

-----Original Message-----
From: James Haworth [mailto:james.haworth at ...10021...]
Sent: Wednesday, November 12, 2003 4:42 PM
To: Mike Couch
Subject: RE: snort & slashes

Hi Mike.
I haven't found a solution to this problem as yet. It is caused by the
Packet Capture driver returning a blank interface name within Windows. This
is then interpreted by Snort as a "\" which is the escape character within
MySQL and therefore you get the error. 
I have tried many ways of getting this to work, and unless you remove the
MySQL support, then it fails. I have opted to go for Red Hat Linux base
which doesn't experience this problem until I can find a fix for it.
Sorry I couldn't be more help. Let me know if you find a solution for this.
James Haworth

	-----Original Message----- 
	From: Mike Couch [mailto:michael.couch at ...10527...] 
	Sent: Wed 12/11/2003 18:44 
	To: James Haworth 
	Subject: snort & slashes
	Hi James,
	I hope you don't mind me contacting you - but I found your email
address on a newsgroup posting....anyways - I just was wondering if you ever
found a solution to the problem you were having below in September...I've
been spending way too much time on the same issue and haven't found any
helpful advise....thanks very much...
	- Mike
	When I start Snort, I get the following error. Has anybody seen this
error, or know how to resolve it as I am getting it on every box that I
install it on?
	James Haworth
	C:\Snort\bin>snort -i 2 -c c:\snort\etc\snort.conf -v
	Running in IDS mode
	Log directory = log
	Initializing Network Interface \
	        --== Initializing Snort ==--
	Initializing Output Plugins!
	Decoding Ethernet on interface \
	Initializing Preprocessors!
	Initializing Plug-ins!
	Parsing Rules file c:\snort\etc\snort.conf
	Initializing rule chains...
	No arguments to frag2 directive, setting defaults to:
	    Fragment timeout: 60 seconds
	    Fragment memory cap: 4194304 bytes
	    Fragment min_ttl:   0
	    Fragment ttl_limit: 5
	    Fragment Problems: 0
	    Self preservation threshold: 500
	    Self preservation period: 90
	    Suspend threshold: 1000
	    Suspend period: 30
	Stream4 config:
	    Stateful inspection: ACTIVE
	    Session statistics: INACTIVE
	    Session timeout: 30 seconds
	    Session memory cap: 8388608 bytes
	    State alerts: INACTIVE
	    Evasion alerts: ACTIVE
	    Scan alerts: ACTIVE
	    Log Flushed Streams: INACTIVE
	    MinTTL: 1
	    TTL Limit: 5
	    Async Link: 0
	    State Protection: 0
	    Self preservation threshold: 50
	    Self preservation period: 90
	    Suspend threshold: 200
	    Suspend period: 30
	Stream4_reassemble config:
	    Server reassembly: INACTIVE
	    Client reassembly: ACTIVE
	    Reassembler alerts: ACTIVE
	    Ports: 21 23 25 53 80 110 111 143 513 1433
	    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
	http_decode arguments:
	    Unicode decoding
	    IIS alternate Unicode decoding
	    IIS double encoding vuln
	    Flip backslash to slash
	    Include additional whitespace separators
	    Ports to decode http on: 80
	rpc_decode arguments:
	    Ports to decode RPC on: 111 32771
	    alert_fragments: INACTIVE
	    alert_large_fragments: ACTIVE
	    alert_incomplete: ACTIVE
	    alert_multiple_requests: ACTIVE
	telnet_decode arguments:
	    Ports to decode telnet on: 21 23 25 119
	Using LOCAL time
	database: compiled support for ( mysql odbc )
	database: configured to use mysql
	database:          user = root
	database: database name = snort
	database:          host = localhost
	Node unique name is: EO52:\
	database:   sensor name = EO52:\
	database: mysql_error: You have an error in your SQL syntax.  Check
the manual t
	hat corresponds to your MySQL server version for the right syntax to
use near '\
	' AND detail = '1' AND encoding = '0' AND filter IS NULL' at l
	database: mysql_error: You have an error in your SQL syntax.  Check
the manual t
	hat corresponds to your MySQL server version for the right syntax to
use near '\
	','1','0', '0')' at line 1
	SQL=INSERT INTO sensor (hostname, interface, detail, encoding,
last_cid) VALUES
	('EO52:\','\','1','0', '0')
	database: mysql_error: You have an error in your SQL syntax.  Check
the manual t
	hat corresponds to your MySQL server version for the right syntax to
use near '\
	' AND detail = '1' AND encoding = '0' AND filter IS NULL' at l
	database: Problem obtaining SENSOR ID (sid) from snort->sensor
	When this plugin starts, a SELECT query is run to find the sensor id
for the
	currently running sensor. If the sensor id is not found, the plugin
will run
	an INSERT query to insert the proper data and generate a new sensor
id. Then a
	SELECT query is run to get the newly allocated sensor id. If that
fails then
	this error message is generated.
	Some possible causes for this error are:
	  * the user does not have proper INSERT or SELECT privileges
	  * the sensor table does not exist
	If you are _absolutely_ certain that you have the proper privileges
set and
	that your database structure is built properly please let me know if
	continue to get this error. You can contact me at
(roman at ...438...).
	Fatal Error, Quitting..
	Snort Interfaces Available Command (snort -W)
	C:\Snort\bin>snort -W
	-*> Snort! <*-
	Version 2.0.1-ODBC-MySQL-FlexRESP-WIN32 (Build 88)
	By Martin Roesch (roesch at ...1935..., www.snort.org)
	1.7-WIN32 Port By Michael Davis (mike at ...92...,
	1.8 - 2.0 WIN32 Port By Chris Reid
(chris.reid at ...3029...)
	Interface       Device          Description
	1  \Device\Packet_NdisWanIp (NdisWan Adapter)
	2 \Device\Packet_{165D21FE-FB6F-4BFE-80C0-C783B23164BE} (SiS NIC
	Mike Couch
	IT Specialist
	416-864-0440 x[224]
	416-864-1881 fax
	mike.couch at ...10527... <mailto:mike.couch at ...10527...> 
	http://www.eloqua.com <http://www.eloqua.com/> 

(ᡛtȱy tޘi+^)o۬z&j)b	bԧn
%z(v*~i X	۬

More information about the Snort-users mailing list