Snort Alert Mysql Query

[adonis okpidi <adonisokpidi () gmail com>]

Hi

I am attempting to enumerate alert data from my snort database. I have the
query shown below:

select sig_id, sig_name,count(*)
from signature as s, event as e
where s.sig_id=e.signature
group by sig_name;

This returns the signature name and the amount of alerts assocaited with
it. The counts for these alerts ranges from 0 - 50 from the pcap file I am
alaysing with snort.

How I would like to assertain more information about the alerts that what
is on offer with the first query. Therefore I have writte the query below;

select signature.sig_id, inet_ntoa(ip_src) as ip_src, inet_ntoa(ip_dst) as
ip_dst, signature.sig_name, event.timestamp, sig_class.sig_class_name,
count(*) as number_of_occurence
from iphdr
join event on iphdr.sid = event.sid
join signature on event.signature = signature.sig_id
join sig_class on signature.sig_class_id = sig_class.sig_class_id
group by sig_name;


Again this query returns 10 rows with the same alerts as the first query
however the count for each query is in the thousands for each. I am pretty
certain the volume of alerts for each signature should not be that high.
Any assistance on why the query I am running is incorrect would be greatly
appreciated.

Kind Regards
Adonis Okpidi

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!