Snort mailing list archives

ACID/snort/MySQL

From: cc <cc () belfordhk com>
Date: Sat, 16 Aug 2003 11:16:30 +0800

Hi,

I'm using ACID 0.96b23, PHP5.0 and MySQL 4.

Say I select "Most frequent 5 Alerts" and then
check the first alert and then at the bottom,
I select "Delete Alert" and click on Selected.

Shouldn't this actually delete the selected alert?
What I end up getting is:

No alerts were selected or the DELETE was not successful

From the debug line:



==== ACTION ======
context = 2


==== DELETE Alerts ========
num_alert = 5
action_sql = FROM acid_event WHERE acid_event.sid > 0
action_op = Selected
action_arg = 1
action_param =
context = 2
limit_start = -1
limit_offset = -1
using_blobs = 1

Gathering elements from 1 alert blobs
0 = [using SQL 5 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND signature='-1'
1 = [using SQL 5 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND signature='-1'
2 = [using SQL 5 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND signature='-1'
3 = [using SQL 5 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND signature='-1'
4 = [using SQL 5 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND signature='-1'
No alerts were selected or the DELETE was not successful

-------------------------------------
action_cnt = 0
dup_cnt = 0
num_alert = 5
==== DELETE Alerts END ========

And here's the Query State:

Query State
caller = 'most_frequent'
num_result_rows = '5'
sort_order = 'occur_d'
current_view = '0'
action_arg = '1'
action = 'del_alert'
SELECT DISTINCT signature, count(signature) as sig_cnt, min(timestamp),
max(timestamp) FROM acid_event WHERE acid_event.sid > 0 GROUP BY
signature ORDER BY sig_cnt DESC


I know a bit about SQL, but what I'm confused about is no where in the
actual SQL line does it says to delete the actual alert.  It only
selects it.

This is under the "5 Most Frequent" list.  I've tried it under other
modes, but none of the alerts seem to get deleted.

Any help appreciated




** All information contained in this email is strictly     **
** confidential and may be used by the intended receipient **
** only.                                                   **

Current thread:

ACID/snort/MySQL cc (Aug 15)
- Can snort listening Interface wtihout IP configured? samwun (Aug 16)
  - install/configure Snort in a switched-base network. samwun (Aug 16)
  - Re: Can snort listening Interface wtihout IP configured? Ahmad Masood Shah (Aug 16)
    - RE: Can snort listening Interface wtihout IP configured? samwun (Aug 16)
  - Re: Can snort listening Interface wtihout IP configured? Matt Kettler (Aug 16)