No subject


Thu Nov 23 16:36:19 EST 2017


limit 1;" this will show you the column names and a sample of the data in
the table.  Take a copy (or printout) of all the tables and you will be able
to match up all the common keys.  That's how I figured it out.

For the query you are looking for it should go something like this:

SELECT signature.sig_name as Signature,count(*) as Count 
FROM event,signature 
WHERE event.signature=signature.sig_id 
GROUP BY signature.sig_name 
ORDER BY Count 
DESC;

This select will give you all signatures in your event table and how many
times they have been triggered by snort, then sort them and list them
descending order.  To modify it for a single signature just add an "AND"
statement after the WHERE line and have "AND sig_name=(sig name you want)".
For a single sig you can drop the group by, order by and desc statements as
you will only have a one line result coming back.

Shawn Truax
Security Specialist
Corporate Security
155 University Ave.
Toronto, Ontario
M5H 3B7
(416)327-1107


-----Original Message-----
From: Cesar [mailto:cesarln at ...5420...]
Sent: May 19, 2004 7:44 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] snort tables (mysql)


Hi folks, my first email for this list!!! :)))

Where can i find relationship among snort tables in Snort 2.1.2 (slackware
box, MySQL database)
Another one... What kind of query should i use to see only one attack
signature(like ssh) ?? (in mysql terminal, not in ACID).



Thanks,

Cesar Leoni Neto.





-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------_=_NextPart_001_01C43E08.CE4D3CF1
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Diso-8859-=
1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version 5.5.2656.60">
<TITLE>RE: [Snort-users] snort tables (mysql)</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2>Hi Cesar,</FONT>
</P>

<P><FONT SIZE=3D2>You can get a list of the tables in MySQL with the "=
show tables;" command.  From there select which table you want an=
d do a "select * from (table name) limit 1;" this will show you t=
he column names and a sample of the data in the table.  Take a copy (o=
r printout) of all the tables and you will be able to match up all the comm=
on keys.  That's how I figured it out.</FONT></P>

<P><FONT SIZE=3D2>For the query you are looking for it should go something =
like this:</FONT>
</P>

<P><FONT SIZE=3D2>SELECT signature.sig_name as Signature,count(*) as Count =
</FONT>
<BR><FONT SIZE=3D2>FROM event,signature </FONT>
<BR><FONT SIZE=3D2>WHERE event.signature=3Dsignature.sig_id </FONT>
<BR><FONT SIZE=3D2>GROUP BY signature.sig_name </FONT>
<BR><FONT SIZE=3D2>ORDER BY Count </FONT>
<BR><FONT SIZE=3D2>DESC;</FONT>
</P>

<P><FONT SIZE=3D2>This select will give you all signatures in your event ta=
ble and how many times they have been triggered by snort, then sort them an=
d list them descending order.  To modify it for a single signature jus=
t add an "AND" statement after the WHERE line and have "AND =
sig_name=3D(sig name you want)".  For a single sig you can drop t=
he group by, order by and desc statements as you will only have a one line =
result coming back.</FONT></P>

<P><FONT SIZE=3D2>Shawn Truax</FONT>
<BR><FONT SIZE=3D2>Security Specialist</FONT>
<BR><FONT SIZE=3D2>Corporate Security</FONT>
<BR><FONT SIZE=3D2>155 University Ave.</FONT>
<BR><FONT SIZE=3D2>Toronto, Ontario</FONT>
<BR><FONT SIZE=3D2>M5H 3B7</FONT>
<BR><FONT SIZE=3D2>(416)327-1107</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Cesar [<A HREF=3D"mailto:cesarln at ...5420...">mailt=
o:cesarln at ...5420...</A>]</FONT>
<BR><FONT SIZE=3D2>Sent: May 19, 2004 7:44 PM</FONT>
<BR><FONT SIZE=3D2>To: snort-users at lists.sourceforge.net</FONT>
<BR><FONT SIZE=3D2>Subject: [Snort-users] snort tables (mysql)</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>Hi folks, my first email for this list!!! :)))</FONT>
</P>

<P><FONT SIZE=3D2>Where can i find relationship among snort tables in Snort=
 2.1.2 (slackware</FONT>
<BR><FONT SIZE=3D2>box, MySQL database)</FONT>
<BR><FONT SIZE=3D2>Another one... What kind of query should i use to see on=
ly one attack</FONT>
<BR><FONT SIZE=3D2>signature(like ssh) ?? (in mysql terminal, not in ACID).=
</FONT>
</P>
<BR>
<BR>

<P><FONT SIZE=3D2>Thanks,</FONT>
</P>

<P><FONT SIZE=3D2>Cesar Leoni Neto.</FONT>
</P>
<BR>
<BR>
<BR>
<BR>

<P><FONT SIZE=3D2>-------------------------------------------------------</=
FONT>
<BR><FONT SIZE=3D2>This SF.Net email is sponsored by: Oracle 10g</FONT>
<BR><FONT SIZE=3D2>Get certified on the hottest thing ever to hit the marke=
t... Oracle 10g. </FONT>
<BR><FONT SIZE=3D2>Take an Oracle 10g class now, and we'll give you the exa=
m FREE.</FONT>
<BR><FONT SIZE=3D2><A HREF=3D"http://ads.osdn.com/?ad_id=3D3149&alloc_id=3D=
8166&op=3Dclick" TARGET=3D"_blank">http://ads.osdn.com/?ad_id=3D3149&alloc_=
id=3D8166&op=3Dclick</A></FONT>
<BR><FONT SIZE=3D2>_______________________________________________</FONT>
<BR><FONT SIZE=3D2>Snort-users mailing list</FONT>
<BR><FONT SIZE=3D2>Snort-users at lists.sourceforge.net</FONT>
<BR><FONT SIZE=3D2>Go to this URL to change user options or unsubscribe:</F=
ONT>
<BR><FONT SIZE=3D2><A HREF=3D"https://lists.sourceforge.net/lists/listinfo/=
snort-users" TARGET=3D"_blank">https://lists.sourceforge.net/lists/listinfo=
/snort-users</A></FONT>
<BR><FONT SIZE=3D2>Snort-users list archive:</FONT>
<BR><FONT SIZE=3D2><A HREF=3D"http://www.geocrawler.com/redir-sf.php3?list=
=3Dsnort-users" TARGET=3D"_blank">http://www.geocrawler.com/redir-sf.php3?l=
ist=3Dsnort-users</A></FONT>
</P>

</BODY>
</HTML>=

------_=_NextPart_001_01C43E08.CE4D3CF1--





More information about the Snort-users mailing list