[Snort-sigs] Snort Alert Mysql Query
rob.macgregor at ...2420...
Mon Feb 15 09:46:15 EST 2016
On Mon, Feb 15, 2016 at 2:40 PM ARUN LAL <arunlal7701 at ...2420...> wrote:
> Hi Rob,
> Where we set the cid and sid values. How will we get sid sensor id ??
Keep the traffic on the list please.
I'd suggest you learn a little MySQL and go poking at the tables ("show
tables") and their contents ("show columns from signature" etc). Here you
just need to add the "cid" field to your join that you're using "sid" on:
select signature.sig_id, inet_ntoa(ip_src) as ip_src, inet_ntoa(ip_dst) as
ip_dst, signature.sig_name, event.timestamp, sig_class.sig_class_name,
count(*) as number_of_occurence
join event on iphdr.sid = event.sid and iphdr.cid = event.cid
join signature on event.signature = signature.sig_id
join sig_class on signature.sig_class_id = sig_class.sig_class_id
group by sig_name;
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs