Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort sensor table in ACID

From: wfenwick () mail entrenet com
Date: Thu, 3 Jan 2002 10:42:21 -0500 (EST)
Hello,

After deleting the record for the unwanted sensor, ACID displayed
the number of sensors correctly, and all references to the hideous 0.0.0.0:eth1
went away. My sensor_sid_seq is sitting at 4 I think. Good design made it
inconsequential. Nice job!

For others reference, I beleive these were the sql statements to fix it.

=> update sensor set hostname = 'sensorname' where hostname='0.0.0.0';
=> delete from sensor where sid=2;

I repeated the last SQL for each of my undesirable sensors.

I have no idea what effect it would have if you actually had events in your
database with a sid of a sensor you delete though; mine did not have any
events with a sid of 2... I imagine it would be bad...
 
W

On Wed, 2 Jan 2002 Roman wrote:


To: wfenwick () mail entrenet com
Cc: snort-users () lists sourceforge net
From: roman () danyliw com
Subject: Re: [Snort-users] Snort sensor table in ACID
Date: Wed, 2 Jan 2002 17:03:37 EST

ACID determines the number of sensors with the following SQL:

SELECT COUNT(*) from sensor;

(Note: a field count is done; the last_value of sensor_id_seq is not used)

As you noted, the IDs assigned to the sensors by a sequence.
However, beyond their uniqueness, the specific value has no intrinsic
meaning.  Simply delete the row from the sensor table associated with the
unused sensor.

Since the sensorID (sid) is meaningless, there is no reason to worry
about decrementing the sensor_id_seq.

cheers,
Roman

On Wed, 2 Jan 2002 wfenwick () mail entrenet com wrote:



Hiya,

ACID b19, snort 1.8.3, using PGSQL as the backend database.

Is there any way to make ACID report the correct number of sensors
by deleting the unwanted sensor record from table "sensor" and decrementing the count in

sensor_sid_seq?


Right now I have two sensors in there when only one should be. I
messed up a config parameter and am now correcting it.

pgsql=# select * from sensor;
 sid | hostname | interface | filter | detail | encoding
-----+----------+-----------+--------+--------+----------
   2 | sensor1  | fxp1      |        |      1 |        0
   1 | sensor1  | fxp1      |        |      1 |        0

The current sequence is at 2 as well.

pqsql=# select * from sensor_sid_seq;
 sequence_name  | last_value | increment_by | max_value  | min_value | cache_value |

log_cnt | is_cycled | is_called



----------------+------------+--------------+------------+-----------+-------------+---------+-----------+-----------

 sensor_sid_seq |          2 |            1 | 2147483647 |         1 |           1 |

32 | f         | t

(1 row)


My attempt to fix it failed:

pgsql=# update sensor_sid_seq set last_value=1 where last_value=2;
ERROR:  You can't change sequence relation sensor_sid_seq

Does ACID look at "sensor_sid_seq" to find out how many
sensors are active, or at home many show up in "sensor"?

Is there a way to *safely* decrement sensor_sid_seq to be at 1?

W




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: