Snort mailing list archives

Previous By Date Next
Previous By Thread Next

ACID -- missing signature?

From: Peter Bates <peter.bates () lshtm ac uk>
Date: Mon, 6 Aug 2001 17:05:59 +0100

Hello all...

I can't see this in the FAQ, so apologies
if this is a bit of a 'silly' question...

I'm running (and have been for many months now)
snort 1.7 on Linux, snorting away at our incoming traffic,
and contemplating moving to 1.8 one of these days...

I'd tried ACID (b12) with Postgresql on the happy snorting
box, and all seemed fine... I've just tried to switch to
MySQL and b13 of ACID, and although I can see:

mysql> select * from event order by sid desc limit 5;
+-----+------+------------------------------------------------------------------------------------------------+---------------------+
| sid | cid | signature | timestamp | 
+-----+------+------------------------------------------------------------------------------------------------+---------------------+
| 1 | 3033 | spp_portscan: portscan status from 194.80.67.130: 3 connections across 3 hosts: TCP(3), UDP(0) | 2001-08-06 17:01:39 | | 1 | 3032 | ICMP Destination Unreachable (Host Unreachable) | 2001-08-06 17:01:33 | | 1 | 3031 | spp_portscan: portscan status from 194.80.67.130: 2 connections across 2 hosts: TCP(2), UDP(0) | 2001-08-06 17:01:33 | | 1 | 3030 | ICMP Destination Unreachable (Port Unreachable) | 2001-08-06 17:01:32 | | 1 | 3029 | IDS243/web-cgi_http-cgi-pipe | 2001-08-06 17:01:30 | 
+-----+------+------------------------------------------------------------------------------------------------+---------------------+
5 rows in set (0.00 sec)

i.e. the last 5 rows from the MySQL db, meaning that snort is
now happily logging to it, when I use ACID, and turn to
for example 'Today's Alert List'... all the signature columns
are totally blank?

Basically the 'Alert Listing' shows 3682 events, but aggregates
them all together because there is no 'signature'...

Am I being really stupid and missing something here?
Under b12 with Postgresql (and I don't think the db is the
issue here) signatures were included, and alerts grouped together
correctly...

Thanks...

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: