[Snort-users] Unknown Sig Name ???

sduncan at ...3495... sduncan at ...3495...
Thu Oct 11 17:01:17 EDT 2001


Hi Roman, thanks for the help. It looks like I have two entries in my signature
table with:

sig_name (no value)
sig_class_id 0
sig_priority NULL
sig_rev NULL

I am running:

snort 1.8.1-RELEASE
ACID 0.9.6b13
Schema from contrib/ in snort-1.8.1-RELEASE

Any ideas?

Scott


On 11-Oct-2001 roman at ...438... wrote:
> Scott,
> 
> A couple of questions to further understand the situation:
> 
> - What version of ACID?
> - What version of the DB schema?
> - Do all signatures appear with the "Unknown Sig Name" string?
> 
> Log into the database and run these queries:
> 
> - In the database, check for any rows in the event tables which
> have a signature = 0?
> (SELECT * FROM event WHERE signature = 0)
> - Check if there are any rows in the event table whose signature field
> is not a valid key in the signature table (i.e. not a valid sig_id)
> 
> (SELECT DISTINCT signature FROM event;
>   SELECT DISTINCT sig_id FROM signature;
> 
>   compare these lists)
> 
> Roman
> 
> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> Can anybody give me some clues on how to debug this message I am getting in
>> acid? Is it a problem with classification.config? I am running snort 1.8.1
>> on
>> one box with a local mysql database and snort1.8.1 on another box which is
>> logging alerts to the first boxen's database. Thanks in advance...
>> 
>> Scott Duncan
>> 
>> 
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.0.4 (GNU/Linux)
>> Comment: For info see http://www.gnupg.org
>> 
>> iD8DBQE7xKvvk2DKE9dAYTcRAkSOAKCHlO3xEuF8+Pfv5OSnnWuETj2+lwCeKuDI
>> zCMirnrbE5bYtKyQcyGGmEQ=
>> =saqf
>> -----END PGP SIGNATURE-----
>> 
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
>> 
> 
> 
> 
> ---------------------------------------------
> This message was sent using Voicenet WebMail.
>       http://www.voicenet.com/webmail/

Cytech Security Consulting
Internet Security Specialists
http://www.cytechconsult.com/
voice: 775-751-5267






More information about the Snort-users mailing list