[Snort-users] RE: slashes in SQL statement a problem?
wfz at ...7588...
wfz at ...7588...
Thu Dec 4 08:11:01 EST 2003
Hi Mike (Couch), perhaps by now you´ve solved the problem by yourself, but anyway...
I´ve ran into the same problem while trying to use a secondary sensor (a W2K one)to log to a remote MySQL database:
> database: Problem obtaining SENSOR ID (sid) from snort->sensor
but after searching the mailings and testing for three days, I finally arrived at the problem;
sniffing, I saw that the string snort was sending to MySQL was wrong:
> SELECT sid FROM sensor WHERE hostname='Sensor2' AND interface='\' AND detail='1' AND encoding='0' AND > filter IS NULL
the problem here is the backslash after interface, which -i think- escapes the preceding sinqle quote, thus the rest of the staement is ignored and produces a syntax error.
After that I searched the archives and found in SNORT-developers one message telling about pcap sending unicode characters to snort when queried about the interface, or something like that.
That was the problem, look at this
> C:\Snort\bin>snort -de -c c:\snort\etc\snort.conf -l c:\snort\log -i1
> Running in IDS mode
> Log directory = c:\snort\log
> Initializing Network Interface \
> --== Initializing Snort ==--
> Initializing Output Plugins!
> Decoding Ethernet on interface \
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file c:\snort\etc\snort.conf
Snort uses '\' as the listening interface name or number, and it´s OK until it passes it to MySQL as
an argument for the above described query.
MySQL gives a syntax error and so snort dies.
I´ve seen a lot of questions about this problem on the net and didn´t find a complete answer, so i think this posting can help.
I solved the problem downgrading to snort 2.0.0, so if anyone of the developers team is reading this, please take it into acccount for correcting it.
I´ll try to post a similar text in the bugs list so they can fix it.
I´m no good at programming so I can´t help anymore.
Todavía no tenés tu Ciudad Internet Mail? Obtenelo ahora! - http://webmail.ciudad.com.ar
Descargá Gratis el nuevo Internet Explorer 6.0, el mejor software para actualizar tu PC.
More information about the Snort-users