Re: Snort Alert Mysql Query

[Rob MacGregor <rob.macgregor () gmail com>]

On Mon, Feb 15, 2016 at 2:40 PM ARUN LAL <arunlal7701 () gmail com> wrote:

> Hi Rob,
>
> Where we set the cid and sid values. How will we get sid sensor id ??

Keep the traffic on the list please.

I'd suggest you learn a little MySQL and go poking at the tables ("show
tables") and their contents ("show columns from signature" etc). Here you
just need to add the "cid" field to your join that you're using "sid" on:

select signature.sig_id, inet_ntoa(ip_src) as ip_src, inet_ntoa(ip_dst) as
ip_dst, signature.sig_name, event.timestamp, sig_class.sig_class_name,
count(*) as number_of_occurence
from iphdr
join event on iphdr.sid = event.sid and iphdr.cid = event.cid
join signature on event.signature = signature.sig_id
join sig_class on signature.sig_class_id = sig_class.sig_class_id
group by sig_name;
-- 
Rob MacGregor
      Whoever fights monsters should see to it that in the process he
        doesn't become a monster.                  Friedrich Nietzsche

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!