[Snort-sigs] Snort Alert Mysql Query

Rob MacGregor rob.macgregor at ...2420...
Mon Feb 15 09:46:15 EST 2016


On Mon, Feb 15, 2016 at 2:40 PM ARUN LAL <arunlal7701 at ...2420...> wrote:

> Hi Rob,
>
> Where we set the cid and sid values. How will we get sid sensor id ??
>

Keep the traffic on the list please.

I'd suggest you learn a little MySQL and go poking at the tables ("show
tables") and their contents ("show columns from signature" etc). Here you
just need to add the "cid" field to your join that you're using "sid" on:

select signature.sig_id, inet_ntoa(ip_src) as ip_src, inet_ntoa(ip_dst) as
ip_dst, signature.sig_name, event.timestamp, sig_class.sig_class_name,
count(*) as number_of_occurence
from iphdr
join event on iphdr.sid = event.sid and iphdr.cid = event.cid
join signature on event.signature = signature.sig_id
join sig_class on signature.sig_class_id = sig_class.sig_class_id
group by sig_name;
-- 
Rob MacGregor
      Whoever fights monsters should see to it that in the process he
        doesn't become a monster.                  Friedrich Nietzsche
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160215/2f78046f/attachment.html>


More information about the Snort-sigs mailing list