Re: 1.7 and MySQL

[roman () danyliw com]

I guess I should have also mentioned that the
concept of IDSKeys does not exist in Snort 1.7.
This is a construct added entirely in v1.8 (the
same is also for the signature table in the
database).

Roman

> Signature table?
>
> My DB does not have this table, and the 'create_mysql' doesn't have an entry
> to create this table?
>
> Hmmm...could this be the reason that Acid wasn't giving my the IDS reference
> links also?
>
> Regards,
> Brad T
>
>
> ----- Original Message -----
> From: <roman () danyliw com>
> To: <bthaler () webstream net>
> Cc: <snort-users () lists sourceforge net>
> Sent: Wednesday, August 22, 2001 6:34 AM
> Subject: Re: [Snort-users] 1.7 and MySQL
>
>
> > The pervasive SID you are seeing in the database
> > schema is NOT related to IDSKeys.  Rather, this
> > SID stands for Sensor ID.  If your database has
> > logs from only one sensor, it follows that the
> > values of the SID=1 everywhere (sid is a sequence
> > number starting at 1).
> >
> > The IDSKey SID is stored in the the sig_sid field
> > of the signature table.
> >
> > cheers,
> > Roman
> >
> > > I've noticed that in any of the MySQL tables used by Snort-1.7, the
> field
> > > 'sid' always has a value of '1'.  No matter what table, or what record,
> it's
> > > always '1'.
> > >
> > > Here's my setup:
> > >
> > > Snort-1.7-win32-MySQL-static
> > > MySQL-3.23.39-nt
> > > WindowsNT 4 SP6
> > > SnortRules-1.7 from SiliconDefense
> > > WinPcap-2.1
> > > CommandLine - snort -c c:\snort\bin\rules\snort.conf -l
> c:\snort\logs -i1
> > > The problem is that I'm not getting the IDSKeys, either in
> Acid-0.9.6b12, or
> > > in my own 'Acid work-alike' that I'm developing.
> > > I've read in other posts that 'sid' = the rule number that triggered the
> > > alert, or something like that.
> > >
> > > I can't seem to pinpoint the problem here.
> > >
> > > Regards,
> > > Brad T.
> > >
> > >
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> > ---------------------------------------------
> > This message was sent using Voicenet WebMail.
> >       http://www.voicenet.com/webmail/
> >
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users



---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users