snort question?

尚风

snort command :
snort -U -d -c /etc/snort/snort.conf


the err is :

尚风

http://rlc.oicp.net/err.txt

尚风

this err :
database: mysql_error: Unknown column 'sid' in 'field list'
database: mysql_error: Unknown column 'hostname' in 'field list'
SQL=INSERT INTO sensor (hostname, interface, detail, encoding, last_cid) VALUES ('192.168.0.10','eth0','1','0', '0')
database: mysql_error: Unknown column 'sid' in 'field list'
database: Problem obtaining SENSOR ID (sid) from snort->;sensor
ERROR:
When this plugin starts, a SELECT query is run to find the sensor id for the
currently running sensor. If the sensor id is not found, the plugin will run
an INSERT query to insert the proper data and generate a new sensor id. Then a
SELECT query is run to get the newly allocated sensor id. If that fails then
this error message is generated.

why?

尚风

The error is :



[root@bridge floppy]# snort -U -d -c /etc/snort/snort.conf
Running in IDS mode
Log directory = /var/log/snort

Initializing Network Interface eth0

        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
,-----------[Flow Config]----------------------
| Stats Interval:  0
| Hash Method:     2
| Memcap:          10485760
| Rows  :          4099
| Overhead Bytes:  16400(%0.16)
`----------------------------------------------
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    Self preservation threshold: 500
    Self preservation period: 90
    Suspend threshold: 1000
    Suspend period: 30
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: INACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
Stream4_reassemble config:
    Server reassembly: INACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Zero out flushed packets: INACTIVE
    flush_data_diff_size: 500
    Ports: 21 23 25 53 80 110 111 143 513 1433
    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
HttpInspect Config:
    GLOBAL CONFIG
      Max Pipeline Requests:    0
      Inspection Type:          STATELESS
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: /etc/snort/unicode.map
      IIS Unicode Map Codepage: 1252
    DEFAULT SERVER CONFIG:
      Ports: 80 8080 8180
      Flow Depth: 300
      Max Chunk Length: 500000
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: NO
      Oversize Dir Length: 500
      Only inspect URI: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: YES
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: YES
      Base36: OFF
      UTF 8: OFF
      IIS Unicode: YES alert: YES
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory Traversal: YES alert: NO
      Web Root Traversal: YES alert: YES
      Apache WhiteSpace: YES alert: YES
      IIS Delimiter: YES alert: YES
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: NONE
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = snort
database: password is set
database: database name = snort
database:          host = 192.168.0.10
database:   sensor name = 192.168.0.10
database: mysql_error: Unknown column 'sid' in 'field list'
database: mysql_error: Unknown column 'hostname' in 'field list'
SQL=INSERT INTO sensor (hostname, interface, detail, encoding, last_cid) VALUES ('192.168.0.10','eth0','1','0', '0')
database: mysql_error: Unknown column 'sid' in 'field list'
database: Problem obtaining SENSOR ID (sid) from snort->;sensor
ERROR:
When this plugin starts, a SELECT query is run to find the sensor id for the
currently running sensor. If the sensor id is not found, the plugin will run
an INSERT query to insert the proper data and generate a new sensor id. Then a
SELECT query is run to get the newly allocated sensor id. If that fails then
this error message is generated.

Some possible causes for this error are:
  * the user does not have proper INSERT or SELECT privileges
  * the sensor table does not exist

If you are _absolutely_ certain that you have the proper privileges set and
that your database structure is built properly please let me know if you
continue to get this error. You can contact me at (roman@danyliw.com).

Fatal Error, Quitting..

skynet

你的SNORT边接MYSQL时就出错了，你回去检查下MYSQL有无什么问题。
如果还没有什么不明白的，可以去WWW.SNORT.ORG看下。

cnriver

在mysql里建user = snort 了吗？权限呢？

join2

原帖由 "skynet" 发表：
你的SNORT边接MYSQL时就出错了，你回去检查下MYSQL有无什么问题。
如果还没有什么不明白的，可以去WWW.SNORT.ORG看下。

能说详细一点吗？
我不太明白“database: mysql_error: Unknown column 'sid' in 'field list'
database: mysql_error: Unknown column 'hostname' in 'field list'
” 这个错误是哪里的问题.
谢谢，指教一下。

skynet

你详细写出你怎么安装MYSQL的过程。
正常这样：

groupadd mysql
useradd -g mysql mysql
在你的/root/.bash_profile里增加一行
PATH=$PATHHOME/bin:/usr/local/mysql/bin

安装
tar -zxvf mysql*.tar.gz
cd mysql*
./configure --prefix=/usr/local/mysql
make
make install
scripts/mysql_install_db
chown -R root /usr/local/mysql
chown -R mysql /usr/local/mysql/var
chgrp -R mysql /usr/local/mysql
cp support-file/my-medium.cnf /etc/my.cnf

然后在/etc/ld.so.conf 里增加
/usr/local/mysql/lib/mysql
/usr/local/lib


ldconfig -v

你其实可以去www.snort.org有详细的安装文档和问题解问的。

skynet

Setting up the database in MySQL:
I will put a line with a >; in front of it so you will see what the output should be. (Note: In
MySQL, a semi-colon ” ; “character is mandatory at the end of each input line)
(new_password is whatever password you want to give)
/usr/local/mysql/bin/mysql
mysql>; SET PASSWORD FOR root@localhost=PASSWORD('new_password');
>;Query OK, 0 rows affected (0.25 sec)
mysql>; create database snort;
>;Query OK, 1 row affected (0.01 sec)
mysql>; grant INSERT,SELECT on root.* to snort@localhost;
>;Query OK, 0 rows affected (0.02 sec)
mysql>; SET PASSWORD FOR snort@localhost=PASSWORD('new_password');
>;Query OK, 0 rows affected (0.25 sec)
mysql>; grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
>;Query OK, 0 rows affected (0.02 sec)
mysql>; grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort;
>;Query OK, 0 rows affected (0.02 sec)
mysql>; exit
>;Bye
From the Snort 2.1.0 source directory (/root/snortinstall/snort-2.1.0) execute the
following command (when working with MySQL, if it asks for a password it is wanting
the one you defined in the SQL statement “SET PASSWORD FOR
root@localhost=PASSWORD('new_password');”)
/usr/local/mysql/bin/mysql -u root -p < ./contrib/create_mysql snort
Version 6.1 Page 16 of 23 Updated 2/14/2004 1:21 AM
Enter password:
Then install the extra DB tables using the following command from the contrib directory
(you will need to cd to contrib)
zcat snortdb-extra.gz |/usr/local/mysql/bin/mysql -p snort
Enter password:
Now you need to check and make sure that the snort DB was created correctly
/usr/local/mysql/bin/mysql -p
>;Enter password:
mysql>; SHOW DATABASES;
(You should see the following)
+------------+
| Database
+------------+
| mysql
| snort
| test
+------------+
3 rows in set (0.00 sec)
mysql>; use snort
>;Database changed
mysql>; SHOW TABLES;
+------------------+
| Tables_in_snort
+------------------+
| data
| detail
| encoding
| event
| flags
| icmphdr
| iphdr
| opt
| protocols
| reference
| reference_system
| schema
| sensor
| services
| sig_class
| sig_reference
| signature
| tcphdr
Version 6.1 Page 17 of 23 Updated 2/14/2004 1:21 AM
| udphdr
+------------------+
19 rows in set (0.00 sec)>;
exit