Snort mailing list archives
RE: snort tables (mysql)
From: "Truax, Shawn (MBS)" <Shawn.Truax () mbs gov on ca>
Date: Wed, 19 May 2004 21:21:41 -0400
Hi Cesar, You can get a list of the tables in MySQL with the "show tables;" command.
From there select which table you want and do a "select * from (table name)
limit 1;" this will show you the column names and a sample of the data in the table. Take a copy (or printout) of all the tables and you will be able to match up all the common keys. That's how I figured it out. For the query you are looking for it should go something like this: SELECT signature.sig_name as Signature,count(*) as Count FROM event,signature WHERE event.signature=signature.sig_id GROUP BY signature.sig_name ORDER BY Count DESC; This select will give you all signatures in your event table and how many times they have been triggered by snort, then sort them and list them descending order. To modify it for a single signature just add an "AND" statement after the WHERE line and have "AND sig_name=(sig name you want)". For a single sig you can drop the group by, order by and desc statements as you will only have a one line result coming back. Shawn Truax Security Specialist Corporate Security 155 University Ave. Toronto, Ontario M5H 3B7 (416)327-1107 -----Original Message----- From: Cesar [mailto:cesarln () terra com br] Sent: May 19, 2004 7:44 PM To: snort-users () lists sourceforge net Subject: [Snort-users] snort tables (mysql) Hi folks, my first email for this list!!! :))) Where can i find relationship among snort tables in Snort 2.1.2 (slackware box, MySQL database) Another one... What kind of query should i use to see only one attack signature(like ssh) ?? (in mysql terminal, not in ACID). Thanks, Cesar Leoni Neto. ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: snort tables (mysql) Truax, Shawn (MBS) (May 19)