Re: 1.7 and MySQL

[roman () danyliw com]

The pervasive SID you are seeing in the database
schema is NOT related to IDSKeys.  Rather, this
SID stands for Sensor ID.  If your database has
logs from only one sensor, it follows that the
values of the SID=1 everywhere (sid is a sequence
number starting at 1).  

The IDSKey SID is stored in the the sig_sid field
of the signature table.

cheers,
Roman

> I've noticed that in any of the MySQL tables used by Snort-1.7, the field
> 'sid' always has a value of '1'.  No matter what table, or what record, it's
> always '1'.
>
> Here's my setup:
>
> Snort-1.7-win32-MySQL-static
> MySQL-3.23.39-nt
> WindowsNT 4 SP6
> SnortRules-1.7 from SiliconDefense
> WinPcap-2.1
> CommandLine - snort -c c:\snort\bin\rules\snort.conf -l c:\snort\logs -i1
>
> The problem is that I'm not getting the IDSKeys, either in Acid-0.9.6b12, or
> in my own 'Acid work-alike' that I'm developing.
> I've read in other posts that 'sid' = the rule number that triggered the
> alert, or something like that.
>
> I can't seem to pinpoint the problem here.
>
> Regards,
> Brad T.
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users