Ok,
Lets see if you have any alerts in the database:
On the honeywall:
1. mysql -u roo -p (password should be honey)
2. use walleye_0_3;
3. select * from ids;
If there are alerts in the ids table, we need to see if the sig_id of
the alert is in the db.
+--------+-----------+--------+----------+------------+------
+----------+---------+---------+----------------+------+---------------+
| ids_id | sensor_id | sig_id | argus_id | sec | usec |
priority | sig_rev | sig_gen | classification | type | to_be_deleted |
+--------+-----------+--------+----------+------------+------
+----------+---------+---------+----------------+------+---------------+
| 1 | 168430146 | 2050 | 422 | 1200141167 | 0 |
3 | 11 | 1 | 29 | NULL | 0 |
| 2 | 168430146 | 2004 | 422 | 1200141167 | 0 |
2 | 7 | 1 | 30 | NULL | 0 |
From my sample results here, you should see the sig_id corresponding
to each alert. The first one in my list has a sig_id of 2050. To see
if this sig_id is in my db:
select * from ids_sig where ids_sig_id = 2050;
+------------+-----------+---------------------------------
+
----------------------------------------------------------------------------------------------------------------+
| ids_sig_id | sensor_id | sig_name |
reference
|
+------------+-----------+---------------------------------
+
----------------------------------------------------------------------------------------------------------------+
| 2050 | 168430146 | MS-SQL version overflow attempt | bugtraq,
5310 || cve,2002-0649 || nessus,10674 || url,www.microsoft.com/technet/security/bulletin/MS02-039.mspx
|
+------------+-----------+---------------------------------
+
----------------------------------------------------------------------------------------------------------------+
1 row in set (0.04 sec)
So select one of your sig_ids from your list of alerts and see if the
signature is in the db. If not, then we need to add your sigs to the
db so that walleye knows how to present the information.
Let me know how it goes.
Rob
On Jan 31, 2008, at 10:56 AM, Nelson Rodriguez wrote:
Yes, but in the walleye nothing appear (alerts).
_______________________________________________
Honeywall mailing list
[email protected]
https://public.honeynet.org/mailman/listinfo/honeywall
