Snort mailing list archives

RE: ACID and delete alerts

From: "Michael Steele" <michaels () winsnort com>
Date: Tue, 17 Feb 2004 00:24:22 -0800

Change acid_conf.php and try using root access to MySQL with the appropriate
password to see if that works.

Kindest regards, 

The WINSNORT.com Management Team
-- 
Pick up your FREE Windows or UNIX Snort installation guides       
mailto:support () winsnort com
Website: http://www.winsnort.com
Snort: Open Source Network IDS - http://www.snort.org

-----Original Message-----
From: snort-users-admin () lists sourceforge net [mailto:snort-users-
admin () lists sourceforge net] On Behalf Of cc
Sent: Monday, February 16, 2004 11:00 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] ACID and delete alerts

Michael Steele sighed and wrote::

Check your configure in 'acid_conf.php" and make sure its correct and

make

sure ACID has enough permissions to delete from the database.


My acid user = Aciduser, and the following doesn't produce any
discernable error:

mysq> grant create, insert,select,delete,update on snort.* to aciduser
identified by '<inpass>'

mysq> grant create, insert,select,delete,update on snort.* to
aciduser@localhost identified by '<inpass>'

And while looking at the Acid logs, I don't see any attempts at
running the Delete command.  All logged commands were select
commands.

As shown here:


--------------------------------------------------------------------------
------
Connect [mysql] snort@localhost:3306 as snort
[Feb 17 2004 15:00:37] /acid/acid_stat_alerts.php - db version 106
--------------------------------------------------------------------------
------

SELECT sid FROM sensor
SELECT MAX(cid) FROM event WHERE sid='1'
SELECT MAX(cid) FROM acid_event WHERE sid='1'
SELECT MAX(cid) FROM event WHERE sid='2'
SELECT MAX(cid) FROM acid_event WHERE sid='2'
SELECT MAX(cid) FROM event WHERE sid='3'
SELECT MAX(cid) FROM acid_event WHERE sid='3'
SELECT MAX(cid) FROM event WHERE sid='4'
SELECT MAX(cid) FROM acid_event WHERE sid='4'
SELECT count(acid_event.sid)  FROM acid_event  WHERE  signature='-1'
SELECT acid_event.sid, acid_event.cid  FROM acid_event  WHERE
signature='-1'
SELECT count(acid_event.sid)  FROM acid_event  WHERE  signature='-1'
SELECT acid_event.sid, acid_event.cid  FROM acid_event  WHERE
signature='-1'
SELECT count(acid_event.sid)  FROM acid_event  WHERE  signature='-1'
SELECT acid_event.sid, acid_event.cid  FROM acid_event  WHERE
signature='-1'
SELECT count(acid_event.sid)  FROM acid_event  WHERE  signature='-1'
SELECT acid_event.sid, acid_event.cid  FROM acid_event  WHERE
signature='-1'
SELECT count(acid_event.sid)  FROM acid_event  WHERE  signature='-1'
SELECT acid_event.sid, acid_event.cid  FROM acid_event  WHERE
signature='-1'
SELECT count(*) FROM acid_event
SELECT DISTINCT signature, count(signature) as sig_cnt, min(timestamp),
max(timestamp)   FROM acid_event   GR
OUP BY signature  ORDER BY sig_cnt DESC
SELECT COUNT(DISTINCT acid_event.sid), COUNT(DISTINCT ip_src),
COUNT(DISTINCT ip_dst)  FROM acid_event  WHERE
  signature='17'
SELECT timestamp, acid_event.sid, acid_event.cid  FROM acid_event  WHERE
 signature='17'
             ORDER BY timestamp DESC
SELECT timestamp, acid_event.sid, acid_event.cid  FROM acid_event  WHERE
 signature='17'
             ORDER BY timestamp ASC
SELECT sig_name FROM signature WHERE sig_id='17'
SELECT ref_seq, ref_id FROM sig_reference WHERE sig_id='17'
SELECT sig_sid FROM signature WHERE sig_id='17'
SELECT sig_class_id FROM signature WHERE sig_id = '17'
SELECT sig_class_name FROM sig_class WHERE sig_class_id = '0'
SELECT COUNT(DISTINCT acid_event.sid), COUNT(DISTINCT ip_src),
COUNT(DISTINCT ip_dst)  FROM acid_event  WHERE
  signature='45'
SELECT timestamp, acid_event.sid, acid_event.cid  FROM acid_event  WHERE
 signature='45'
             ORDER BY timestamp DESC
SELECT timestamp, acid_event.sid, acid_event.cid  FROM acid_event  WHERE
 signature='45'
             ORDER BY timestamp ASC
SELECT sig_name FROM signature WHERE sig_id='45'
SELECT sig_class_id FROM signature WHERE sig_id = '45'
SELECT sig_class_name FROM sig_class WHERE sig_class_id = '0'
SELECT COUNT(DISTINCT acid_event.sid), COUNT(DISTINCT ip_src),
COUNT(DISTINCT ip_dst)  FROM acid_event  WHERE
  signature='18'
SELECT timestamp, acid_event.sid, acid_event.cid  FROM acid_event  WHERE
 signature='18'
             ORDER BY timestamp DESC
SELECT timestamp, acid_event.sid, acid_event.cid  FROM acid_event  WHERE
 signature='18'
             ORDER BY timestamp ASC
SELECT sig_name FROM signature WHERE sig_id='18'
SELECT ref_seq, ref_id FROM sig_reference WHERE sig_id='18'
SELECT ref_system_id, ref_tag FROM reference WHERE ref_id='8'
SELECT ref_system_name FROM reference_system WHERE ref_system_id='1'
SELECT sig_sid FROM signature WHERE sig_id='18'
SELECT sig_class_id FROM signature WHERE sig_id = '18'
SELECT sig_class_name FROM sig_class WHERE sig_class_id = '5'
SELECT COUNT(DISTINCT acid_event.sid), COUNT(DISTINCT ip_src),
COUNT(DISTINCT ip_dst)  FROM acid_event  WHERE
  signature='202'
SELECT timestamp, acid_event.sid, acid_event.cid  FROM acid_event  WHERE
 signature='202'
             ORDER BY timestamp DESC
SELECT timestamp, acid_event.sid, acid_event.cid  FROM acid_event  WHERE
 signature='202'
             ORDER BY timestamp ASC
SELECT sig_name FROM signature WHERE sig_id='202'
SELECT ref_seq, ref_id FROM sig_reference WHERE sig_id='202'
SELECT sig_sid FROM signature WHERE sig_id='202'
SELECT sig_class_id FROM signature WHERE sig_id = '202'
SELECT sig_class_name FROM sig_class WHERE sig_class_id = '0'
SELECT COUNT(DISTINCT acid_event.sid), COUNT(DISTINCT ip_src),
COUNT(DISTINCT ip_dst)  FROM acid_event  WHERE
  signature='40'
SELECT timestamp, acid_event.sid, acid_event.cid  FROM acid_event  WHERE
 signature='40'
             ORDER BY timestamp DESC
SELECT timestamp, acid_event.sid, acid_event.cid  FROM acid_event  WHERE
 signature='40'
             ORDER BY timestamp ASC
SELECT sig_name FROM signature WHERE sig_id='40'
SELECT ref_seq, ref_id FROM sig_reference WHERE sig_id='40'
SELECT sig_sid FROM signature WHERE sig_id='40'
SELECT sig_class_id FROM signature WHERE sig_id = '40'
SELECT sig_class_name FROM sig_class WHERE sig_class_id = '0'






-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

ACID and delete alerts cc (Feb 16)
- RE: ACID and delete alerts Michael Steele (Feb 16)
  - Re: ACID and delete alerts cc (Feb 16)
    - RE: ACID and delete alerts Michael Steele (Feb 17)
- <Possible follow-ups>
- Re: ACID and delete alerts cc (Feb 17)