Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: slashes in SQL statement a problem?

From: <wfz () ciudad com ar>
Date: Thu, 04 Dec 2003 13:10:23 -0300

Hi Mike (Couch), perhaps by now you´ve solved the problem by yourself, but anyway...

I´ve ran into the same problem while trying to use a secondary sensor (a W2K one)to log to a remote MySQL database:


database: Problem obtaining SENSOR ID (sid) from snort->sensor


but after searching the mailings and testing for three days, I finally arrived at the problem;
sniffing, I saw that the string snort was sending to MySQL was wrong:


SELECT sid FROM sensor WHERE hostname='Sensor2' AND interface='\' AND detail='1' AND encoding='0' AND > filter IS NULL


the problem here is the backslash after interface, which -i think- escapes the preceding sinqle quote, thus the rest of 
the staement is ignored and produces a syntax error.

After that I searched the archives and found in SNORT-developers one message telling about pcap sending unicode 
characters to snort when queried about the interface, or something like that.
That was the problem, look at this


C:\Snort\bin>snort -de -c c:\snort\etc\snort.conf -l c:\snort\log -i1
Running in IDS mode
Log directory = c:\snort\log



Initializing Network Interface \



--== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface \
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file c:\snort\etc\snort.conf


Snort uses '\' as the listening interface name or number, and it´s OK until it passes it to MySQL as
an argument for the above described query.
MySQL gives a syntax error and so snort dies.

I´ve seen a lot of questions about this problem on the net and didn´t find a complete answer, so i think this posting 
can help.
I solved the problem downgrading to snort 2.0.0, so if anyone of the developers team is reading this, please take it 
into acccount for correcting it.
I´ll try to post a similar text in the bugs list so they can fix it.
I´m no good at programming so I can´t help anymore.


Cheers.
__________________________________________________


__________________________________________________

Todavía no tenés tu Ciudad Internet Mail? Obtenelo ahora! - http://webmail.ciudad.com.ar

Descargá Gratis el nuevo Internet Explorer 6.0, el mejor software para actualizar tu PC.
http://www.ciudad.com.ar/ar/servicios/ie/



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: