Snort mailing list archives

Re: Barnyard2 2-1.13-BETA

From: Jeff Kell <jeff-kell () utc edu>
Date: Thu, 9 May 2013 19:24:53 -0400

On 4/10/2013 8:52 AM, beenph wrote:

***** We highly recommend ******
 To delete every row in your sig_reference table. (DELETE FROM sig_reference;)
 The table will be re-populated at  process startup, and has no impact
on historical data.


I may have goofed.....   :(

I have had some signatures showing up in the "snort alert [x:yyyyyy:z]"
format for awhile (since converting to BY2).  Hoping that the above hint
was a reference to clearing out the database descriptors, I did a
'delete from signature'; and a 'delete from sig_reference'; and
restarted things.  Now I have nothing at all in the descriptions, at
least from the perspective of BASE...

Well, I take that back... a couple have populated now...

 < Signature >           < Classification >      < Total # > 
 < Source Address >      < Dest. Address > 
ET POLICY Outdated Windows Flash Version IE     policy-violation
13(0%)  4       11
ET POLICY Vulnerable Java Version 1.6.x Detected        bad-unknown     2(0%)   1       2
ET CURRENT_EVENTS DNS Amplification Attack Inbound      bad-unknown
1(0%)   1       1
(3996)/SigName unknown/         /unclassified/  20(0%)  1       5
(4404)/SigName unknown/         /unclassified/  59(0%)  1       2
(5534)/SigName unknown/         /unclassified/  230(1%)         5       4
(5632)/SigName unknown/         /unclassified/  5700(14%)       400     277


So should this clear itself up eventually, or have I hosed my current
alerts database?

(Please reply all, i'm not on the google groups list...)

Jeff

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Barnyard2 2-1.13-BETA beenph (Apr 26)
- <Possible follow-ups>
- Re: Barnyard2 2-1.13-BETA sumit kamboj (Apr 29)
  - Re: [barnyard2-users] Re: Barnyard2 2-1.13-BETA beenph (Apr 27)
- Re: Barnyard2 2-1.13-BETA Jeff Kell (May 09)
  - Re: Barnyard2 2-1.13-BETA beenph (May 09)