[Snort-users] Snort sensor table in ACID

wfenwick at ...4447... wfenwick at ...4447...
Thu Jan 3 07:45:10 EST 2002


Hello,

After deleting the record for the unwanted sensor, ACID displayed
the number of sensors correctly, and all references to the hideous 0.0.0.0:eth1
went away. My sensor_sid_seq is sitting at 4 I think. Good design made it
inconsequential. Nice job!

For others reference, I beleive these were the sql statements to fix it.

=> update sensor set hostname = 'sensorname' where hostname='0.0.0.0';
=> delete from sensor where sid=2;

I repeated the last SQL for each of my undesirable sensors.

I have no idea what effect it would have if you actually had events in your
database with a sid of a sensor you delete though; mine did not have any
events with a sid of 2... I imagine it would be bad...
 
W

On Wed, 2 Jan 2002 Roman wrote:

>To: wfenwick at ...4447...
>Cc: snort-users at lists.sourceforge.net
>From: roman at ...438...
>Subject: Re: [Snort-users] Snort sensor table in ACID
>Date: Wed, 2 Jan 2002 17:03:37 EST
>
>ACID determines the number of sensors with the following SQL:
>
>SELECT COUNT(*) from sensor;
>
>(Note: a field count is done; the last_value of sensor_id_seq is not used)
>
>As you noted, the IDs assigned to the sensors by a sequence.
>However, beyond their uniqueness, the specific value has no intrinsic
>meaning.  Simply delete the row from the sensor table associated with the
>unused sensor.
>
>Since the sensorID (sid) is meaningless, there is no reason to worry
>about decrementing the sensor_id_seq.
>
>cheers,
>Roman
>
>On Wed, 2 Jan 2002 wfenwick at ...4447... wrote:
>
>
>> Hiya,
>>
>> ACID b19, snort 1.8.3, using PGSQL as the backend database.
>>
>> Is there any way to make ACID report the correct number of sensors
>> by deleting the unwanted sensor record from table "sensor" and decrementing the count in
>sensor_sid_seq?
>>
>> Right now I have two sensors in there when only one should be. I
>> messed up a config parameter and am now correcting it.
>>
>> pgsql=# select * from sensor;
>>  sid | hostname | interface | filter | detail | encoding
>> -----+----------+-----------+--------+--------+----------
>>    2 | sensor1  | fxp1      |        |      1 |        0
>>    1 | sensor1  | fxp1      |        |      1 |        0
>>
>> The current sequence is at 2 as well.
>>
>> pqsql=# select * from sensor_sid_seq;
>>  sequence_name  | last_value | increment_by | max_value  | min_value | cache_value |
>log_cnt | is_cycled | is_called
>>
>----------------+------------+--------------+------------+-----------+-------------+---------+-----------+-----------
>>  sensor_sid_seq |          2 |            1 | 2147483647 |         1 |           1 |
> 32 | f         | t
>> (1 row)
>>
>>
>> My attempt to fix it failed:
>>
>> pgsql=# update sensor_sid_seq set last_value=1 where last_value=2;
>> ERROR:  You can't change sequence relation sensor_sid_seq
>>
>> Does ACID look at "sensor_sid_seq" to find out how many
>> sensors are active, or at home many show up in "sensor"?
>>
>> Is there a way to *safely* decrement sensor_sid_seq to be at 1?
>>
>> W
>




More information about the Snort-users mailing list