Snort mailing list archives

Re: [ACID] - trying to keep up

From: rdanyliw () voicenet com
Date: Mon, 25 Jun 2001 11:32:41 US/Eastern

I am using latest acid from CVS and latest contrib/create_mysql from CVS.
mysql  Ver 9.38
PHP Version 4.0.5 

error #1
Creating database:
bash# mysql snort< create_mysql
ERROR 1121 at line 34: Column 'sig_class_id' is used with UNIQUE or INDEX
but is not defined as NOT NULL

The above error goes away if I append "NOT NULL" to line 36, but is this
right?


As I recollect, older versions of MySQL had problems with creating INDEXes on
"NOT NULL" fields.  In this case, I would remove the index which caused the error
instead of making the field "NOT NULL".  This change could potentially cause 
problems when logging from Snort with an alert which had no classification.

Using acid after the above change.
I don't know if it makes a difference to the sid/cid stuff but I am
populating my database from a pcap-style dump file captured via iptables
QUEUE. This means the sid reads:
[reading from a file]


Lets confirm a couple of things:
- So you are logging to the Snort-style database from iptables.
- What does "This means the sid reads: [reading from a file]"?  The field
"event.sid" and "sensor.sid" is a text string?  "event.sid" and "event.cid" need
to be numeric.

When I try to click on and use acid_stat_ipaddr.php:
Database ERROR:You have an error in your SQL syntax near 'ON
(event.sid=iphdr.sid AND event.cid=iphdr.cid) WHERE ( (ip_src=1079064628)
OR ' at line 1


This error might be related to your previous comment.  Turn on debug mode
(i.e. set the $debug_mode variable =1 in acid_conf.php), and what is the
full SQL statement which you are trying to execute.

Roman


---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

[ACID] - trying to keep up Ian Jones (Jun 21)
- <Possible follow-ups>
- Re: [ACID] - trying to keep up rdanyliw (Jun 25)
  - Re: [ACID] - trying to keep up Ian Jones (Jun 25)