Snort mailing list archives
RE: ACID errors
From: pbsarnac () ThoughtWorks com
Date: Tue, 25 Sep 2001 18:36:27 -0500
Slowly learning SQL here, and figuring some of this out. It looks like ACID
is barfing because the ref_id number in the sig_reference table is set to 0
for these alerts. If I do an UPDATE and assign a likely candidate from the
reference table, the querys will complete, and ACID works... to a degree.
The URLs for the ref_tag in the reference table aren't showing up properly
in ACID. When I look at the table, they've been truncated. Looking at the
desc of the reference table shows that the ref_tag field is a varchar(20),
and the urls from the snort rule are 38 characters long. Did the schema
update somewhere that I didn't catch, or do we need to change the size of
that field?
Anyway, since I'm still not sure what I'm doing here, I'm guessing that
when snort sends the output to MySQL, MySQL complains because the ref_tag
value from this rule doesn't fit. At that point, Snort doesn't finish
inserting the rest of the info from the rule. The ref_id never gets matched
up in the sig_reference table, so instead we get the default of 0. Because
the ref_id is 0, there is no match for it in the reference table, and ACID
barfs when trying to look up the ref_system_name from the reference_system
table with a null ref_system_id. Does that sound about right?
If I'm correct, it looks like either the rule's reference tag needs to get
shorter, or the reference table needs to get bigger.
----- Forwarded by Patrick B Sarnacke/Corporate/ThoughtWorks/US on
09/25/2001 06:13 PM -----
|--------+--------------------------------------->
| | pbsarnac () ThoughtWorks com |
| | Sent by: |
| | snort-users-admin@lists.sourc|
| | eforge.net |
| | |
| | |
| | 09/25/2001 04:57 PM |
| | |
|--------+--------------------------------------->
>----------------------------------------------------------------------------------------------------|
| |
| To: snort-users () lists sourceforge net |
| cc: |
| Subject: RE: [Snort-users] ACID errors |
>----------------------------------------------------------------------------------------------------|
No go, however when I was poking through my new acid_conf.php, I saw the
debug options (doh! should have looked there first!). I turned on debugging
and sql logging. Here's what pops up. Does it mean anything to anyone? ( I
removed the 'Meta Criteria' box and the table headers for fear that my
email server would mangle them oubound. If you feel that they might be
important, let me know and I'll attach a screenshot.
URL: '/acid/acid_qry_main.php' (referred by:
'http://sumadre.thoughtworks.com/acid/acid_qry_main.php?new=1')
PARAMETERS: ''
CLIENT: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.3)
Gecko/20010801
SERVER: Apache/1.3.20 (Unix) PHP/4.0.6
SERVER HW: Linux sumadre.thoughtworks.com 2.4.2-2 #1 Sun Apr 8
20:41:30 EDT 2001 i686 unknown
DATABASE TYPE: mysql DB ABSTRACTION VERSION:
PHP VERSION: 4.0.6 PHP API: apache
SESSION ID: 78c4723428cf46d757dcef531aba1fee
Checking for DB abstraction lib in '/home/httpd/html/adodb/adodb.inc.php'
sensor #1: event.cid = 19203, acid_event.cid = 19203
sensor #2: event.cid = 230, acid_event.cid = 230
sensor #3: event.cid = 14931, acid_event.cid = 14931
sensor #4: event.cid = 0, acid_event.cid = 0
Added 0 alert(s) to the Alert cache
new: '1'
submit: 'Query DB'
sort_order: ''
num_result_rows: '-1' current_view: '-1'
layer4: '' caller: ''
action: '' action_arg: ''
Initial/Canned Query or Sort Clicked
SQL (save_sql): SELECT acid_event.sid, acid_event.cid, signature,
timestamp, ip_src, ip_dst, ip_proto FROM acid_event WHERE acid_event.sid >
0 AND sig_name LIKE '%WEB-MISC readme.eml attempt%' AND ( ( YEAR(timestamp)
= 2001 AND MONTH(timestamp) = 09 AND DAYOFMONTH(timestamp) = 25 ) )
Valid Canned Query List
Array
(
[last_tcp] => Array
(
[0] => 15
[1] => Last TCP
[2] => time_d
)
[last_udp] => Array
(
[0] => 15
[1] => Last UDP Alerts
[2] => time_d
)
[last_icmp] => Array
(
[0] => 15
[1] => Last ICMP Alerts
[2] => time_d
)
[last_any] => Array
(
[0] => 15
[1] => Last Alerts
[2] => time_d
)
)
Query State
caller = ''
num_result_rows = '1'
sort_order = ''
current_view = '0'
action_arg = ''
action = ''
SELECT acid_event.sid, acid_event.cid, signature, timestamp, ip_src,
ip_dst, ip_proto FROM acid_event WHERE acid_event.sid > 0 AND sig_name LIKE
'%WEB-MISC readme.eml attempt%' AND ( ( YEAR(timestamp) = 2001 AND
MONTH(timestamp) = 09 AND DAYOFMONTH(timestamp) = 25 ) )
Displaying alerts 1-1 of 1 total
Database ERROR:You have an error in your SQL syntax near '' at line 1
SELECT ref_system_name FROM reference_system WHERE ref_system_id=
|--------+--------------------------------------->
| | Steve Halligan |
| | <agent33 () geeksquad com> |
| | Sent by: |
| | snort-users-admin@lists.sourc|
| | eforge.net |
| | |
| | |
| | 09/25/2001 04:15 PM |
| | |
|--------+--------------------------------------->
>
----------------------------------------------------------------------------------------------------|
|
|
| To: "'snort-users () lists sourceforge net'"
<snort-users () lists sourceforge net> |
| cc:
|
| Subject: RE: [Snort-users] ACID errors
|
>
----------------------------------------------------------------------------------------------------|
If this is accurate and you are using ACID v0.9.6b1, you should upgrade to
a
newer version. It is up to v0.9.6b16 in CVS and b15 in tarball.
-steve
Snort Version 1.8.1-RELEASE (Build 74) ACID v0.9.6b1 These are the signatures (from the snort.sourcefire.com ruleset): web-misc.rules:alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml autoload attempt"; flags:A+; content:"window.open (\"readme.eml\""; nocase; classtype:attempted-user; sid:1290; rev:3; reference:url,www.cert.org/advisories/CA-2001-26.html;) web-misc.rules:alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml attempt"; flags:A+; uricontent:"readme.eml"; nocase; classtype:attempted-user; sid:1284; rev:3; reference:url,www.cert.org/advisories/CA-2001-26.html;) Any help is greatly appreciated! Thanks, pat s. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- acid errors, (continued)
- acid errors Steve Moran (Aug 27)
- General snort problem V. (Aug 27)
- RE: acid errors Steve Halligan (Aug 27)
- RE: acid errors Steve Moran (Aug 27)
- RE: acid errors roman (Aug 27)
- ACID errors pbsarnac (Sep 25)
- RE: ACID errors Karen Marino (Sep 25)
- RE: ACID errors Steve Halligan (Sep 25)
- RE: ACID errors pbsarnac (Sep 25)
- RE: ACID errors pbsarnac (Sep 25)
- RE: ACID errors pbsarnac (Sep 25)
- Re: ACID errors frank . bussink (Sep 26)
- Re: ACID errors Mark Rowlands (Sep 26)
- Re: ACID errors pbsarnac (Sep 26)
- Re: ACID errors roman (Sep 26)
- acid errors Steve Moran (Aug 27)