[Snort-users] Unknown Sig Name ???

roman at ...438... roman at ...438...
Mon Oct 22 19:07:02 EDT 2001


Any chance you are using tagging?  My limited testing shows that 
the packets logged with tag will be written to the database with 
a NULL signature.

Roman

On Thu, 11 Oct 2001 sduncan at ...3495... wrote:

> Hi Roman, thanks for the help. It looks like I have two entries in my signature
> table with:
>
> sig_name (no value)
> sig_class_id 0   
> sig_priority NULL
> sig_rev NULL
> 
> I am running:
> 
> snort 1.8.1-RELEASE
> ACID 0.9.6b13
> Schema from contrib/ in snort-1.8.1-RELEASE
>
> Any ideas?
> 
> Scott
> 
> > >
> > - In the database, check for any rows in the event tables which
> > have a signature = 0?
> > (SELECT * FROM event WHERE signature = 0)
> > - Check if there are any rows in the event table whose signature field
> > is not a valid key in the signature table (i.e. not a valid sig_id)
> >
> > (SELECT DISTINCT signature FROM event;   
> >   SELECT DISTINCT sig_id FROM signature;
> >
> >   compare these lists)
> >
> > Roman
> >
> >
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> Can anybody give me some clues on how to debug this message I am getting in
> >> acid? Is it a problem with classification.config? I am running snort 1.8.1
> >> on
> >> one box with a local mysql database and snort1.8.1 on another box which is
> >> logging alerts to the first boxen's database. Thanks in advance...
> >>
> >> Scott Duncan
>
>>


---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/






More information about the Snort-users mailing list