Re: [Snort-users] ACID and delete alerts

permalink · #1 (**permalink**) 02-17-2004

Michael Steele sighed and wrote::

> Check your configure in 'acid_conf.php" and make sure its correct and make
> sure ACID has enough permissions to delete from the database.
>

My acid user = Aciduser, and the following doesn't produce any
discernable error:

mysq> grant create, insert,select,delete,update on snort.* to aciduser
identified by '<inpass>'

mysq> grant create, insert,select,delete,update on snort.* to
aciduser@localhost identified by '<inpass>'

And while looking at the Acid logs, I don't see any attempts at
running the Delete command. All logged commands were select
commands.

As shown here:

--------------------------------------------------------------------------------
Connect [mysql] snort@localhost:3306 as snort
[Feb 17 2004 15:00:37] /acid/acid_stat_alerts.php - db version 106
--------------------------------------------------------------------------------

SELECT sid FROM sensor
SELECT MAX(cid) FROM event WHERE sid='1'
SELECT MAX(cid) FROM acid_event WHERE sid='1'
SELECT MAX(cid) FROM event WHERE sid='2'
SELECT MAX(cid) FROM acid_event WHERE sid='2'
SELECT MAX(cid) FROM event WHERE sid='3'
SELECT MAX(cid) FROM acid_event WHERE sid='3'
SELECT MAX(cid) FROM event WHERE sid='4'
SELECT MAX(cid) FROM acid_event WHERE sid='4'
SELECT count(acid_event.sid) FROM acid_event WHERE signature='-1'
SELECT acid_event.sid, acid_event.cid FROM acid_event WHERE
signature='-1'
SELECT count(acid_event.sid) FROM acid_event WHERE signature='-1'
SELECT acid_event.sid, acid_event.cid FROM acid_event WHERE
signature='-1'
SELECT count(acid_event.sid) FROM acid_event WHERE signature='-1'
SELECT acid_event.sid, acid_event.cid FROM acid_event WHERE
signature='-1'
SELECT count(acid_event.sid) FROM acid_event WHERE signature='-1'
SELECT acid_event.sid, acid_event.cid FROM acid_event WHERE
signature='-1'
SELECT count(acid_event.sid) FROM acid_event WHERE signature='-1'
SELECT acid_event.sid, acid_event.cid FROM acid_event WHERE
signature='-1'
SELECT count(*) FROM acid_event
SELECT DISTINCT signature, count(signature) as sig_cnt, min(timestamp),
max(timestamp) FROM acid_event GR
OUP BY signature ORDER BY sig_cnt DESC
SELECT COUNT(DISTINCT acid_event.sid), COUNT(DISTINCT ip_src),
COUNT(DISTINCT ip_dst) FROM acid_event WHERE
signature='17'
SELECT timestamp, acid_event.sid, acid_event.cid FROM acid_event WHERE
signature='17'
ORDER BY timestamp DESC
SELECT timestamp, acid_event.sid, acid_event.cid FROM acid_event WHERE
signature='17'
ORDER BY timestamp ASC
SELECT sig_name FROM signature WHERE sig_id='17'
SELECT ref_seq, ref_id FROM sig_reference WHERE sig_id='17'
SELECT sig_sid FROM signature WHERE sig_id='17'
SELECT sig_class_id FROM signature WHERE sig_id = '17'
SELECT sig_class_name FROM sig_class WHERE sig_class_id = '0'
SELECT COUNT(DISTINCT acid_event.sid), COUNT(DISTINCT ip_src),
COUNT(DISTINCT ip_dst) FROM acid_event WHERE
signature='45'
SELECT timestamp, acid_event.sid, acid_event.cid FROM acid_event WHERE
signature='45'
ORDER BY timestamp DESC
SELECT timestamp, acid_event.sid, acid_event.cid FROM acid_event WHERE
signature='45'
ORDER BY timestamp ASC
SELECT sig_name FROM signature WHERE sig_id='45'
SELECT sig_class_id FROM signature WHERE sig_id = '45'
SELECT sig_class_name FROM sig_class WHERE sig_class_id = '0'
SELECT COUNT(DISTINCT acid_event.sid), COUNT(DISTINCT ip_src),
COUNT(DISTINCT ip_dst) FROM acid_event WHERE
signature='18'
SELECT timestamp, acid_event.sid, acid_event.cid FROM acid_event WHERE
signature='18'
ORDER BY timestamp DESC
SELECT timestamp, acid_event.sid, acid_event.cid FROM acid_event WHERE
signature='18'
ORDER BY timestamp ASC
SELECT sig_name FROM signature WHERE sig_id='18'
SELECT ref_seq, ref_id FROM sig_reference WHERE sig_id='18'
SELECT ref_system_id, ref_tag FROM reference WHERE ref_id='8'
SELECT ref_system_name FROM reference_system WHERE ref_system_id='1'
SELECT sig_sid FROM signature WHERE sig_id='18'
SELECT sig_class_id FROM signature WHERE sig_id = '18'
SELECT sig_class_name FROM sig_class WHERE sig_class_id = '5'
SELECT COUNT(DISTINCT acid_event.sid), COUNT(DISTINCT ip_src),
COUNT(DISTINCT ip_dst) FROM acid_event WHERE
signature='202'
SELECT timestamp, acid_event.sid, acid_event.cid FROM acid_event WHERE
signature='202'
ORDER BY timestamp DESC
SELECT timestamp, acid_event.sid, acid_event.cid FROM acid_event WHERE
signature='202'
ORDER BY timestamp ASC
SELECT sig_name FROM signature WHERE sig_id='202'
SELECT ref_seq, ref_id FROM sig_reference WHERE sig_id='202'
SELECT sig_sid FROM signature WHERE sig_id='202'
SELECT sig_class_id FROM signature WHERE sig_id = '202'
SELECT sig_class_name FROM sig_class WHERE sig_class_id = '0'
SELECT COUNT(DISTINCT acid_event.sid), COUNT(DISTINCT ip_src),
COUNT(DISTINCT ip_dst) FROM acid_event WHERE
signature='40'
SELECT timestamp, acid_event.sid, acid_event.cid FROM acid_event WHERE
signature='40'
ORDER BY timestamp DESC
SELECT timestamp, acid_event.sid, acid_event.cid FROM acid_event WHERE
signature='40'
ORDER BY timestamp ASC
SELECT sig_name FROM signature WHERE sig_id='40'
SELECT ref_seq, ref_id FROM sig_reference WHERE sig_id='40'
SELECT sig_sid FROM signature WHERE sig_id='40'
SELECT sig_class_id FROM signature WHERE sig_id = '40'
SELECT sig_class_name FROM sig_class WHERE sig_class_id = '0'

-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode