No subject


Thu Nov 23 16:36:19 EST 2017


==== ACTION ======
context = 2


==== DELETE Alerts ========
num_alert = 5
action_sql = FROM acid_event WHERE acid_event.sid > 0
action_op = Selected
action_arg = 1
action_param =
context = 2
limit_start = -1
limit_offset = -1
using_blobs = 1

Gathering elements from 1 alert blobs
0 = [using SQL 5 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND signature='-1'
1 = [using SQL 5 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND signature='-1'
2 = [using SQL 5 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND signature='-1'
3 = [using SQL 5 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND signature='-1'
4 = [using SQL 5 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND signature='-1'
No alerts were selected or the DELETE was not successful

-------------------------------------
action_cnt = 0
dup_cnt = 0
num_alert = 5
==== DELETE Alerts END ========

And here's the Query State:

Query State
caller = 'most_frequent'
num_result_rows = '5'
sort_order = 'occur_d'
current_view = '0'
action_arg = '1'
action = 'del_alert'
SELECT DISTINCT signature, count(signature) as sig_cnt, min(timestamp),
max(timestamp) FROM acid_event WHERE acid_event.sid > 0 GROUP BY
signature ORDER BY sig_cnt DESC


I know a bit about SQL, but what I'm confused about is no where in the
actual SQL line does it says to delete the actual alert.  It only
selects it.

This is under the "5 Most Frequent" list.  I've tried it under other
modes, but none of the alerts seem to get deleted.

Any help appreciated




** All information contained in this email is strictly     **
** confidential and may be used by the intended receipient **
** only.                                                   **


------------=_1061003988-24294-546--




More information about the Snort-users mailing list