# Problem w/Snort logging to mysql server after mysql upgrade

## hanj

Hello

I'm running into a problem where my firewall box (using snort) is having trouble writing snort logs to my mysql server on my LAN. I upgraded to mysql-5 from mysql-4.1.21 on the mysql server, and upgraded the client on the firewall box (including revdep-rebuild for snort). Everything appears to work fine, but occassionaly I get the following messages in my logs:

```
Nov 16 08:16:16 comp snort[8504]: database: mysql_error: MySQL server has gone away SQL=BEGIN

Nov 16 08:16:16 comp snort[8504]: database: mysql_error: MySQL server has gone away

Nov 16 08:16:16 comp snort[8504]: database: mysql_error: MySQL server has gone away SQL=INSERT INTO signature (sig_name,sig_priority,sig_rev,sig_sid) VALUES ('(http_inspect) DOUBLE DECODING ATTACK',3,1,2)

Nov 16 08:16:16 comp snort[8504]: database: mysql_error: MySQL server has gone away

Nov 16 08:16:16 comp snort[8504]: database: Problem inserting a new signature '(http_inspect) DOUBLE DECODING ATTACK'

Nov 16 08:16:16 comp snort[8504]: database: mysql_error: MySQL server has gone away SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('3', '2573', '0', '2006-11-16 08:16:16.066+-07')

Nov 16 08:16:16 comp snort[8504]: database: mysql_error: MySQL server has gone away SQL=ROLLBACK

Nov 16 08:16:16 comp snort[8504]: [119:7:1] (http_inspect) IIS UNICODE CODEPOINT ENCODING {TCP} xxx.xxx.xxx.xxx:4632 -> xxx.xxx.xxx.xxx:80

Nov 16 08:16:16 comp snort[8504]: database: mysql_error: MySQL server has gone away SQL=BEGIN

Nov 16 08:16:16 comp snort[8504]: database: mysql_error: MySQL server has gone away

Nov 16 08:16:16 comp snort[8504]: database: mysql_error: MySQL server has gone away SQL=INSERT INTO signature (sig_name,sig_priority,sig_rev,sig_sid) VALUES ('(http_inspect) IIS UNICODE CODEPOINT ENCODING',3,1,7)
```

I know that snort can talk to that mysql server, and I'm logging snort alerts in BASE just fine. But this is an intermittent problem and never happened until after the upgrade to mysql5. If I try to connect from the firewall to the mysql server, I get right in:

```
comp snort # mysql -u user -p -h xxx.xxx.xxx.xxx

Enter password: 

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 10860 to server version: 5.0.26

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> 

mysql> quit

Bye
```

Any ideas on what I can look for to track this problem down? This is a very sporadic problem.. happens once every two to three days and not on consistent times.

Thanks!

hanji

----------

## volumen1

I'm seeing this exact same problem.  I've posted a message to the snort forums about it but I haven't gotten any replies yet.  Is anyone else having difficulty with snort logging to MySQL5?

----------

## guid0

snort logging to mysql v5 did not work for me for similar reasons.

i masked mysql v5 and higher and "downgraded" to mysql v4.

solved my problems  :Smile: 

----------

