Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: snort tables (mysql)

From: "Truax, Shawn (MBS)" <Shawn.Truax () mbs gov on ca>
Date: Wed, 19 May 2004 21:21:41 -0400
Hi Cesar,

You can get a list of the tables in MySQL with the "show tables;" command.

From there select which table you want and do a "select * from (table name)

limit 1;" this will show you the column names and a sample of the data in
the table.  Take a copy (or printout) of all the tables and you will be able
to match up all the common keys.  That's how I figured it out.

For the query you are looking for it should go something like this:

SELECT signature.sig_name as Signature,count(*) as Count 
FROM event,signature 
WHERE event.signature=signature.sig_id 
GROUP BY signature.sig_name 
ORDER BY Count 
DESC;

This select will give you all signatures in your event table and how many
times they have been triggered by snort, then sort them and list them
descending order.  To modify it for a single signature just add an "AND"
statement after the WHERE line and have "AND sig_name=(sig name you want)".
For a single sig you can drop the group by, order by and desc statements as
you will only have a one line result coming back.

Shawn Truax
Security Specialist
Corporate Security
155 University Ave.
Toronto, Ontario
M5H 3B7
(416)327-1107


-----Original Message-----
From: Cesar [mailto:cesarln () terra com br]
Sent: May 19, 2004 7:44 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] snort tables (mysql)


Hi folks, my first email for this list!!! :)))

Where can i find relationship among snort tables in Snort 2.1.2 (slackware
box, MySQL database)
Another one... What kind of query should i use to see only one attack
signature(like ssh) ?? (in mysql terminal, not in ACID).



Thanks,

Cesar Leoni Neto.





-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: