RE: [Honeywall] Would like to bring this ticket to the public list...

Fri, 01 Feb 2008 09:10:25 -0800 

Hello Rob, all Here the output. Regards, NR.


From: [EMAIL PROTECTED]: [EMAIL PROTECTED]: Re: [Honeywall] Would like to bring 
this ticket to the public list...Date: Thu, 31 Jan 2008 11:47:20 -0600Ok, 
    Lets see if you have any alerts in the database:

    On the honeywall:

   1.  mysql -u roo -p   (password should be honey)
   2.  use walleye_0_3;
   3.  select * from ids;

If there are alerts in the ids table, we need to see if the sig_id of the alert 
is in the db.


+--------+-----------+--------+----------+------------+------+----------+---------+---------+----------------+------+---------------+
| ids_id | sensor_id | sig_id | argus_id | sec        | usec | priority | 
sig_rev | sig_gen | classification | type | to_be_deleted |
+--------+-----------+--------+----------+------------+------+----------+---------+---------+----------------+------+---------------+
|      1 | 168430146 |   2050 |      422 | 1200141167 |    0 |        3 |      
11 |       1 |             29 | NULL |             0 | 
|      2 | 168430146 |   2004 |      422 | 1200141167 |    0 |        2 |       
7 |       1 |             30 | NULL |             0 | 


>From my sample results here, you should see the sig_id corresponding to each 
>alert.  The first one in my list has a sig_id of 2050.  To see if this sig_id 
>is in my db:

select * from ids_sig where ids_sig_id = 2050;


+------------+-----------+---------------------------------+----------------------------------------------------------------------------------------------------------------+
| ids_sig_id | sensor_id | sig_name                        | reference          
                                                                                
            |
+------------+-----------+---------------------------------+----------------------------------------------------------------------------------------------------------------+
|       2050 | 168430146 | MS-SQL version overflow attempt | bugtraq,5310 || 
cve,2002-0649 || nessus,10674 || 
url,www.microsoft.com/technet/security/bulletin/MS02-039.mspx | 
+------------+-----------+---------------------------------+----------------------------------------------------------------------------------------------------------------+
1 row in set (0.04 sec)


So select one of your sig_ids from your list of alerts and see if the signature 
is in the db.  If not, then we need to add your sigs to the db so that walleye 
knows how to present the information.

Let me know how it goes.

Rob
   


On Jan 31, 2008, at 10:56 AM, Nelson Rodriguez wrote:

Yes, but in the walleye nothing appear (alerts).
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

<<attachment: IDS_sig.png>>

<<attachment: tableIDS.png>>

_______________________________________________
Honeywall mailing list
[email protected]
https://public.honeynet.org/mailman/listinfo/honeywall

Reply via email to