[Snort-users] modifying priority on certain rules

Frank Knobbe frank at ...9761...
Wed Feb 22 13:20:10 EST 2006


On Wed, 2006-02-22 at 11:42 -0500, Christina McAghon wrote:
> I think I figured out the problem.   I am using Barnyard to log the
> events to a database.  In the signature table, there was an existing
> entry for the sig id, which had the lower priority.  Once I removed it
> from the signature table, it recreated it with the higher priority. 

Of course by doing so (only deleting the row from the signature table),
you probably have bunch of orphaned entries in your event table that
reference a signature that does not longer exist. If you remember the
signature.sig_id of that sig, you might want to set event.signature to
signature.sig_id of the new signature where all instances of
event.signature are like the old signature.sig_id.

> Has anyone else seen this?  If so, do you manually purge/update the
> entry in the signature table? 

Bear in mind that all entries are interconnected in the database. If you
remove portions, you leave dead data hanging around. If you want to
meddle in the database by hand, I suggest you gain an understanding of
the whole schema so you can perform manual tasks without disrupting any
indices's.

Cheers,
Frank

-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20060222/4cf72726/attachment.sig>


More information about the Snort-users mailing list