Re: SV: SV: [Secureideas-base-devel] Search form enhancement
Brought to you by:
secureideas,
sinukas
From: Kevin J. <kjo...@se...> - 2005-03-24 22:27:22
|
On Thu, 2005-03-24 at 07:35, Christian Svensson wrote: > Hola >=20 > On your server do the following >=20 > 1. from main page click search > 2. add the ip criteria "218.145.226.85" (Src or Dst) > 3. click Query DB >=20 > ID < Signature > < Timestamp > < Source Address > < Dest. Addres= s > < Layer 4 Proto > =20 > #0-(3-23662) [snort] BLEEDING-EDGE Policy SSH Successf= ul user connection 2005-03-24 06:23:54 218.145.226.85:59662 = 66.177.41.115:22 TCP =20 > #1-(3-23664) [snort] BLEEDING-EDGE Potential SSH Scan = 2005-03-24 06:24:15 218.145.226.85:33960 66.177.41.115= :22 TCP =20 > #2-(3-23665) [snort] BLEEDING-EDGE Potential SSH Scan = 2005-03-24 06:24:54 218.145.226.85:35473 66.177.41.115= :22 TCP =20 >=20 > Now do >=20 > 1. from main page click search > 2. add the ip criteria "218.145.226.85" (Src or Dst) > 3. Mark sort order signature=20 > 4. click Query DB >=20 > ID < Signature > < Timestamp > < Source Address > < Dest. Addres= s > < Layer 4 Proto > =20 > #0-(3-23662) [snort] BLEEDING-EDGE Policy SSH Successf= ul user connection 2005-03-24 06:23:54 218.145.226.85:59662 = 66.177.41.115:22 TCP =20 > #1-(3-23664) [snort] BLEEDING-EDGE Potential SSH Scan = 2005-03-24 06:24:15 218.145.226.85:33960 66.177.41.115= :22 TCP =20 > #2-(3-23665) [snort] BLEEDING-EDGE Potential SSH Scan = 2005-03-24 06:24:54 218.145.226.85:35473 66.177.41.115= :22 TCP =20 > #3-(3-23666) [snort] BLEEDING-EDGE Policy SSH Successf= ul user connection 2005-03-24 06:24:58 218.145.226.85:35473 = 66.177.41.115:22 TCP =20 >=20 > As u can see the result will be the same, if i have guessed correctly sho= uld this sort order show the alerts in A-Z order witch i does not. >=20 > So what do u mean by "The sig sort works as far as I can see" ? >=20 > /Christian Ok this makes sense now... I misunderstood since the original bug report wasn't talking about sort order from a search but from a selection on the main page.... so I tested the original report that I had discussed with Harry way back when.... I am tearing apart the code now.... <g> Kevin |