Re: slahes in SQL statement a problem?

["jon baer" <security () jonbaer net>]

You can try escaping the slash (ie just add another one) ... D-TRITON:\\ which would mean to take the slash literally 
... 

Normally in PHP apps its common to use a method to add slashes so the DB does not choke:

$sql = addslashes($sql);
http://us4.php.net/addslashes

It could also be if you have a ' character around sensor name ...

- jon
----- Original Message ----- 
  From: Mike Couch 
  To: snort-users () lists sourceforge net 
  Sent: Monday, November 10, 2003 12:23 PM
  Subject: [Snort-users] slahes in SQL statement a problem?


  Hi,

  Can't get snort to output into MySQL running on Windows 2K Box - permissions are fine....I think it has something to 
do with the slashes in the 'sensor name' when trying to execute the first SQL query...

  when I take the SQL from the error message and try to run it in MySQL (logged in with the same user) the SQL 
statement is not valid because of the '\' in the VALUES section of the statement....

  my output database line is set to mysql and seems not to be the problem....

  do I need to wait for the a snort.exe to account for slashes in sensor names or is there something I'm missing?? 
error message below - any help is appreciated...

  - Mike


  C:\Snort\bin>snort -c c:\snort\etc\snort.conf -l c:\snort\log -i3
  Running in IDS mode
  Log directory = c:\snort\log

  Initializing Network Interface \

          --== Initializing Snort ==--
  Initializing Output Plugins!
  Decoding Ethernet on interface \
  Initializing Preprocessors!
  Initializing Plug-ins!
  Parsing Rules file c:\snort\etc\snort.conf

  +++++++++++++++++++++++++++++++++++++++++++++++++++
  Initializing rule chains...
  No arguments to frag2 directive, setting defaults to:
      Fragment timeout: 60 seconds
      Fragment memory cap: 4194304 bytes
      Fragment min_ttl:   0
      Fragment ttl_limit: 5
      Fragment Problems: 0
      Self preservation threshold: 500
      Self preservation period: 90
      Suspend threshold: 1000
      Suspend period: 30
  Stream4 config:
      Stateful inspection: ACTIVE
      Session statistics: INACTIVE
      Session timeout: 30 seconds
      Session memory cap: 8388608 bytes
      State alerts: INACTIVE
      Evasion alerts: INACTIVE
      Scan alerts: ACTIVE
      Log Flushed Streams: INACTIVE
      MinTTL: 1
      TTL Limit: 5
      Async Link: 0
      State Protection: 0
      Self preservation threshold: 50
      Self preservation period: 90
      Suspend threshold: 200
      Suspend period: 30
  Stream4_reassemble config:
      Server reassembly: INACTIVE
      Client reassembly: ACTIVE
      Reassembler alerts: ACTIVE
      Zero out flushed packets: INACTIVE
      flush_data_diff_size: 500
      Ports: 21 23 25 53 80 110 111 143 513 1433
      Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
  http_decode arguments:
      Unicode decoding
      IIS alternate Unicode decoding
      IIS double encoding vuln
      Flip backslash to slash
      Include additional whitespace separators
      Ports to decode http on: 80
  rpc_decode arguments:
      Ports to decode RPC on: 111 32771
      alert_fragments: INACTIVE
      alert_large_fragments: ACTIVE
      alert_incomplete: ACTIVE
      alert_multiple_requests: ACTIVE
  telnet_decode arguments:
      Ports to decode telnet on: 21 23 25 119
  database: compiled support for ( mysql odbc mssql )
  database: configured to use mysql
  database:          user = snort
  database: password is set
  database: database name = snort
  database:          host = 10.100.100.30
  database:   sensor name = D-TRITON:\
  database: mysql_error: You have an error in your SQL syntax.  Check the manual t
  hat corresponds to your MySQL server version for the right syntax to use near '\
  ' AND detail = '1' AND encoding = '0' AND filter IS NULL' at l
  database: mysql_error: You have an error in your SQL syntax.  Check the manual t
  hat corresponds to your MySQL server version for the right syntax to use near '\
  ','1','0', '0')' at line 1
  SQL=INSERT INTO sensor (hostname, interface, detail, encoding, last_cid) VALUES
  ('D-TRITON:\','\','1','0', '0')
  database: mysql_error: You have an error in your SQL syntax.  Check the manual t
  hat corresponds to your MySQL server version for the right syntax to use near '\
  ' AND detail = '1' AND encoding = '0' AND filter IS NULL' at l
  database: Problem obtaining SENSOR ID (sid) from snort->sensor
  ERROR:
   When this plugin starts, a SELECT query is run to find the sensor id for the
   currently running sensor. If the sensor id is not found, the plugin will run
   an INSERT query to insert the proper data and generate a new sensor id. Then a
   SELECT query is run to get the newly allocated sensor id. If that fails then
   this error message is generated.

   Some possible causes for this error are:
    * the user does not have proper INSERT or SELECT privileges
    * the sensor table does not exist

   If you are _absolutely_ certain that you have the proper privileges set and
   that your database structure is built properly please let me know if you
   continue to get this error. You can contact me at (roman () danyliw com).

  Fatal Error, Quitting..



  --------------------

  Mike Couch
  IT Specialist
  416-864-0440 x[224]
  416-864-1881 fax
  mike.couch () eloqua com
  http://www.eloqua.com