[Snort-users] Barnyard2 problems with reputation preproc rules

Dave Corsello snort-users at ...15598...
Mon Feb 3 10:17:39 EST 2014


MySQL version 5.1.49

To the best of my recollection, I never ran ALTER TABLE to change the
storage engine.  The only changes to this database were done by the BASE
script that adds the acid tables, which I ran a couple of years ago.

Here are the results of the query:

+--------+--------------+-----------------------------------+--------------+---------+---------+---------+--------------+
| sig_id | sig_class_id | sig_name                          |
sig_priority | sig_rev | sig_sid | sig_gid | events_count |
+--------+--------------+-----------------------------------+--------------+---------+---------+---------+--------------+
|  16501 |            4 | reputation: Packet is blacklisted |           
2 |       1 |       1 |     136 |        65341 |
|  17372 |            0 | reputation: Packet is blacklisted |           
0 |       1 |       1 |     136 |            0 |
+--------+--------------+-----------------------------------+--------------+---------+---------+---------+--------------+

On 2/2/2014 9:16 AM, beenph wrote:
> On Sun, Feb 2, 2014 at 8:29 AM, Dave Corsello
> <snort-users at ...15598...> wrote:
>> No, sorry, I forgot to include version info.  I've been on by2 version
>> 2.1.13 build 327 and snort 2.9.5.5 for months.  All snort tables are
>> InnoDB; all acid tables are MyISAM.  None of this has changed.  The only
>> thing that's changed that I can see is the number of blacklist IP's, but
>> that changes almost daily.  i suppose I could try deleting signature
>> 16501, but it's linked to thousands of events.
>>
> Yup, but you also have been having SQL issues a different level, Which
> version of MySQL are you using again?
>
> the multiple issue you have been having with sql could mean that in
> the past you have converted using ALTER TABLE,
> rather than create the database based on innodb storage engine.
>
> I looked back to previous thread you had written on the by2 mailing list
>  and can't find info on your mysql version.
>
> I would be interesting to see the result of the following query.
>
> SELECT * FROM signature WHERE sig_id IN (16501,17372)
>
> -elz

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140203/b17d2552/attachment.html>


More information about the Snort-users mailing list