Home page logo

snort logo Snort mailing list archives

Sguil DB table names
From: Y M <snort () outlook com>
Date: Sun, 12 May 2013 05:40:04 +0000

This is not strictly a Snort question, it is more related to Sguil and hoping that someone may have insight into this.
I have a Sguil sensor setup to only use the snort_agent. My understanding of Sguil is that as soon as a sensor reports 
an alert to the server for the first time, it will create the event, data, icmphdr, iphdr, tcphdr, and udphdr tables 
into the Sguil DB on the server.
That said, my setup does create the tables, however, it appends the sensor name and a date stamp to table names. For 
example, my sensor name is "ids-test" and the date is 12 May 2013. In this case, the tables created will have the 
following naming convention: tablename_sensorname_datestamp --> event_ids-test_20130512. This happens to all tables 
that get created.
This results in the following error:ERROR: sguil: Expected confirm 1 and got: Failed to insert 1: mysqlexec/db server: 
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right 
syntax to use near 'TYPE=MERGE UNION=('event_ids-test_20130512')' at line 1
If I rename the tables to the proper names, and run Sguil again, I get the following error:ERROR: sguil: Expected 
confirm 1 and got: Failed to insert 1: mysqlexec/db server: Table 'sguildb.event_ids-test_20130512' does not exist.
If I drop the created tables and run the process, the same error (first one) occurs again.
Am I missing something in the configurations (Barnyard2 or snort_agent.conf) or the entire setup?

Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]