[Snort-sigs] Snort Alert Mysql Query

adonis okpidi adonisokpidi at ...2420...
Sat Feb 13 13:54:30 EST 2016


Hi

I am attempting to enumerate alert data from my snort database. I have the
query shown below:

select sig_id, sig_name,count(*)
from signature as s, event as e
where s.sig_id=e.signature
group by sig_name;

This returns the signature name and the amount of alerts assocaited with
it. The counts for these alerts ranges from 0 - 50 from the pcap file I am
alaysing with snort.

How I would like to assertain more information about the alerts that what
is on offer with the first query. Therefore I have writte the query below;

select signature.sig_id, inet_ntoa(ip_src) as ip_src, inet_ntoa(ip_dst) as
ip_dst, signature.sig_name, event.timestamp, sig_class.sig_class_name,
count(*) as number_of_occurence
from iphdr
join event on iphdr.sid = event.sid
join signature on event.signature = signature.sig_id
join sig_class on signature.sig_class_id = sig_class.sig_class_id
group by sig_name;


Again this query returns 10 rows with the same alerts as the first query
however the count for each query is in the thousands for each. I am pretty
certain the volume of alerts for each signature should not be that high.
Any assistance on why the query I am running is incorrect would be greatly
appreciated.

Kind Regards
Adonis Okpidi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160213/82ccdd4e/attachment.html>


More information about the Snort-sigs mailing list