[Snort-users] RE: slashes in SQL statement a problem?

wfz at ...7588... wfz at ...7588...
Thu Dec 4 08:11:01 EST 2003

Hi Mike (Couch), perhaps by now you´ve solved the problem by yourself, but anyway...

I´ve ran into the same problem while trying to use a secondary sensor (a W2K one)to log to a remote MySQL database:

> database: Problem obtaining SENSOR ID (sid) from snort->sensor

but after searching the mailings and testing for three days, I finally arrived at the problem;
sniffing, I saw that the string snort was sending to MySQL was wrong:

> SELECT sid FROM sensor WHERE hostname='Sensor2' AND interface='\' AND detail='1' AND encoding='0' AND > filter IS NULL

the problem here is the backslash after interface, which -i think- escapes the preceding sinqle quote, thus the rest of the staement is ignored and produces a syntax error.

After that I searched the archives and found in SNORT-developers one message telling about pcap sending unicode characters to snort when queried about the interface, or something like that.
That was the problem, look at this

> C:\Snort\bin>snort -de -c c:\snort\etc\snort.conf -l c:\snort\log -i1
> Running in IDS mode
> Log directory = c:\snort\log

> Initializing Network Interface \

> --== Initializing Snort ==--
> Initializing Output Plugins!
> Decoding Ethernet on interface \
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file c:\snort\etc\snort.conf

Snort uses '\' as the listening interface name or number, and it´s OK until it passes it to MySQL as
an argument for the above described query.
MySQL gives a syntax error and so snort dies.

I´ve seen a lot of questions about this problem on the net and didn´t find a complete answer, so i think this posting can help.
I solved the problem downgrading to snort 2.0.0, so if anyone of the developers team is reading this, please take it into acccount for correcting it.
I´ll try to post a similar text in the bugs list so they can fix it.
I´m no good at programming so I can´t help anymore.



Todavía no tenés tu Ciudad Internet Mail? Obtenelo ahora! - http://webmail.ciudad.com.ar

Descargá Gratis el nuevo Internet Explorer 6.0, el mejor software para actualizar tu PC.

More information about the Snort-users mailing list