Snort mailing list archives

Additional debugging information: Query execution error: Database ERROR:Unknown column 'ip_src0' in 'field list'

From: Bruce Platt <Bruce () ei3 com>
Date: Fri, 15 Feb 2002 17:09:03 -0500
I set $debug_mode=1 in acid_conf.php, and here is the additional debugging
info produced when this error occurs:

importing GET var 'submit'
importing GET var 'current_view'
importing GET var 'num_result_rows'

Warning: Cannot send session cache limiter - headers already sent (output
started at /var/www/html/acid/acid_common.php:273) in
/var/www/html/acid/acid_common.php on line 125
Session Registered
importing GET var 'time'

Checking for DB abstraction lib in '/var/www/html/acid/adodb.inc.php'


         URL: '/acid/acid_pkt_main.php' (refered by:
'http://webserver/acid/acid_main.php&apos;)
         PARAMETERS:
'&num_result_rows=-1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=+&submit=Query+
DB¤t_view=-1'
         CLIENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; T312461;
Q312461)
         SERVER: Apache/1.3.12 (Unix)  (Red Hat/Linux) mod_ssl/2.6.6
OpenSSL/0.9.5a DAV/1.0.1 PHP/4.0.5 mod_perl/1.24 
         DATABASE TYPE: mysql
         PHP VERSION: 4.0.5  DB ABSTRACTION VERSION: 
         
         new: ''   
         submit: 'Query DB'
         sort_order: ''
         num_result_rows: '-1'  current_view: '-1'
         layer4: ''


time_cnt ip_addr_cnt ip_field_cnt tcp_port_cnt  tcp_field_cnt udp_port_cnt
udp_field_cnt  icmp_field_cnt data_cnt 
0 0 0 0 0 0 0 0 0 
caller = 
action= 
ag_add_key= 

----------------------------------------------------------------------------
----

IP first 0 0 0 0 
IP masking 0 0 0 0 = 0 
IP back 0: 0 0 0 0 
SQL (save_sql): SELECT event.sid, event.cid, signature, timestamp, ip_src0,
ip_src1, ip_src2, ip_src3, ip_dst0, ip_dst1, ip_dst2, ip_dst3, ip_proto FROM
event INNER JOIN iphdr ON event.sid=iphdr.sid AND event.cid=iphdr.cid WHERE
event.cid > 0Query execution error: Database ERROR:Unknown column 'ip_src0'
in 'field list'

SELECT event.sid, event.cid, signature, timestamp, ip_src0, ip_src1,
ip_src2, ip_src3, ip_dst0, ip_dst1, ip_dst2, ip_dst3, ip_proto FROM event
LEFT JOIN iphdr ON event.sid=iphdr.sid AND event.cid=iphdr.cid WHERE
event.cid > 0


If I look at my iphdr table, there are only these fields defined:

mysql> desc iphdr;
+----------+----------------------+------+-----+---------+-------+
| Field    | Type                 | Null | Key | Default | Extra |
+----------+----------------------+------+-----+---------+-------+
| sid      | int(10) unsigned     |      | PRI | 0       |       |
| cid      | int(10) unsigned     |      | PRI | 0       |       |
| ip_src   | int(10) unsigned     |      | MUL | 0       |       |
| ip_dst   | int(10) unsigned     |      | MUL | 0       |       |
| ip_ver   | tinyint(3) unsigned  | YES  |     | NULL    |       |
| ip_hlen  | tinyint(3) unsigned  | YES  |     | NULL    |       |
| ip_tos   | tinyint(3) unsigned  | YES  |     | NULL    |       |
| ip_len   | smallint(5) unsigned | YES  |     | NULL    |       |
| ip_id    | smallint(5) unsigned | YES  |     | NULL    |       |
| ip_flags | tinyint(3) unsigned  | YES  |     | NULL    |       |
| ip_off   | smallint(5) unsigned | YES  |     | NULL    |       |
| ip_ttl   | tinyint(3) unsigned  | YES  |     | NULL    |       |
| ip_proto | tinyint(3) unsigned  |      |     | 0       |       |
| ip_csum  | smallint(5) unsigned | YES  |     | NULL    |       |
+----------+----------------------+------+-----+---------+-------+

This is for schema version 104 from the snort-stable which I downloaded
yesterday.

I have seen posts where people clearly have 22 fields in ipheadr, the 14
above plus ip_src0 - ip_src4 and ipdst0 - ip_dst4.

Where do these come from?  Where can I find the definition file to load into
mysql?

Any and all help greatly appreciated.

Regards,

Bruce

-----Original Message-----
From: Bruce Platt [mailto:Bruce () ei3 com]
Sent: Friday, February 15, 2002 1:12 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Query execution error: Database ERROR:Unknown
column 'ip_src0' in 'field list'


I now have yesterday's snort-stable running and logging happily to a mysql
db. Using acid 0.9.6b20, I receive the following error when attempting to
query db about alert details:

Database ERROR:Unknown column 'ip_src0' in 'field list'.  Similar error for
ip_dst0.

Looking at some posts using a google search suggests that last year there
was some discussion related to b10 release of acid and the fact that not all
necessary code was committed.

Examining the snort-stable/contrib/create_mysql shows no fields labled
ip_src0 in the definitions, however, there are clearly a field labeled
ip_src in the iphdr table definition as well as ip_dst.

Have I left out an important step somewhere, should I have used some other
version of create_mysql?

Thanks and regards

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

Additional debugging information: Query execution error: Database ERROR:Unknown column 'ip_src0' in 'field list' Bruce Platt (Feb 15)
- <Possible follow-ups>
- Re: Additional debugging information: Query execution error: Database ERROR:Unknown column 'ip_src0' in 'field list' Roman Danyliw (Feb 16)