Thread: [Secureideas-base-devel] [Secureideas-base-user] Can't delete alerts
Brought to you by:
secureideas,
sinukas
From: Ron M. <rj...@rj...> - 2005-11-28 04:01:06
|
When I try to delete alerts from the "5 most frequent alerts" page (by selecting the checkbox next to the alerts, selecting "delete alerts" from the dropdown box under "ACTION", and then hitting the "Selected" button, the alerts are not deleted and I get an error message like this: > No alerts were selected or the Delete alert(s) was not successful Output of debug mode is at the bottom of this message. I'm using Debian's 'acidbase' package, from the 'testing' distribution. Anyone have any suggestions? Thanks, .....Ron -- Ron Murray (rj...@rj...) http://www.rjmx.net/~ron GPG Public Key Fingerprint: F2C1 FC47 5EF7 0317 133C D66B 8ADA A3C4 D86C 74DE ============================================================ Session Registered importing SESSION var 'sig' importing SESSION var 'sig_type' importing SESSION var 'sig_class' importing SESSION var 'sig_priority' importing SESSION var 'ag' importing SESSION var 'sensor' importing SESSION var 'time' importing SESSION var 'time_cnt' importing SESSION var 'ip_addr' importing SESSION var 'ip_addr_cnt' importing SESSION var 'layer4' importing SESSION var 'ip_field' importing SESSION var 'ip_field_cnt' importing SESSION var 'tcp_port' importing SESSION var 'tcp_port_cnt' importing SESSION var 'tcp_flags' importing SESSION var 'tcp_field' importing SESSION var 'tcp_field_cnt' importing SESSION var 'udp_port' importing SESSION var 'udp_port_cnt' importing SESSION var 'udp_field' importing SESSION var 'udp_field_cnt' importing SESSION var 'icmp_field' importing SESSION var 'icmp_field_cnt' importing SESSION var 'rawip_field' importing SESSION var 'rawip_field_cnt' importing SESSION var 'data' importing SESSION var 'data_cnt' importing SESSION var 'data_encode' Checking for DB abstraction lib in '/usr/share/php/adodb/adodb.inc.php' Basic Analysis and Security Engine (BASE) Home | Search [ Back ] URL: '/acidbase/base_stat_alerts.php' (referred by: 'http://www.rjmx.net/acidbase/base_stat_alerts.php?caller=most_frequent&sort_order=occur_d') PARAMETERS: ' CLIENT: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7 SERVER: Apache SERVER HW: Linux tinkerbell 2.6.14.2-tinkerbell-0 #1 Fri Nov 18 22:50:17 EST 2005 ppc DATABASE TYPE: mysql DB ABSTRACTION VERSION: V4.64 20 June 2005 (c) 2000-2005 John Lim (jlim#natsoft.com.my). All rights reserved. Released BSD & LGPL. PHP VERSION: 5.0.5-3 PHP API: apache2handler BASE VERSION: 1.2.1 (kris) SESSION ID: 6bf00552e239c9930a5578463e8c4807( 2248 bytes ) Checking for DB abstraction lib in '/usr/share/php/adodb/adodb.inc.php' sensor #1: event.cid = 0, acid_event.cid = 0 sensor #2: event.cid = 0, acid_event.cid = 0 sensor #3: event.cid = 0, acid_event.cid = 0 sensor #4: event.cid = 0, acid_event.cid = 0 sensor #5: event.cid = 0, acid_event.cid = 0 sensor #6: event.cid = 0, acid_event.cid = 0 sensor #7: event.cid = 0, acid_event.cid = 0 sensor #8: event.cid = 135761, acid_event.cid = 135761 Added 0 alert(s) to the Alert cache Queried on : Sun November 27, 2005 22:47:47 Meta Criteria any IP Criteria any Layer 4 Criteria none Payload Criteria any Summary Statistics # Sensors / # Unique Alerts ( classifications ) # Unique addresses: Source | Destination # Unique IP links # Source Port: TCP | UDP # Destination Port: TCP | UDP # Time profile of alerts ==== ACTION ====== context = 2 ==== Delete alert(s) Alerts ======== num_alert = 5 action_sql = FROM acid_event WHERE 1 = 1 action_op = Selected action_arg = action_param = context = 2 limit_start = -1 limit_offset = -1 using_blobs = 1 Gathering elements from 1 alert blobs 0 = [using SQL 5 for blob ]: SELECT acid_event.sid, acid_event.cid FROM acid_event WHERE 1 = 1 AND signature='-1' 1 = [using SQL 5 for blob ]: SELECT acid_event.sid, acid_event.cid FROM acid_event WHERE 1 = 1 AND signature='-1' 2 = [using SQL 5 for blob ]: SELECT acid_event.sid, acid_event.cid FROM acid_event WHERE 1 = 1 AND signature='-1' 3 = [using SQL 5 for blob ]: SELECT acid_event.sid, acid_event.cid FROM acid_event WHERE 1 = 1 AND signature='-1' 4 = [using SQL 5 for blob ]: SELECT acid_event.sid, acid_event.cid FROM acid_event WHERE 1 = 1 AND signature='-1' No alerts were selected or the Delete alert(s) was not successful ------------------------------------- action_cnt = 0 dup_cnt = 0 num_alert = 4 ==== Delete alert(s) Alerts END ======== Valid Canned Query List Array ( [most_frequent] => Array ( [0] => 5 [1] => Most Frequent Alerts [2] => occur_d ) [last_alerts] => Array ( [0] => 15 [1] => Last Alerts [2] => last_d ) ) Query State caller = 'most_frequent' num_result_rows = '5' sort_order = 'occur_d' current_view = '0' action_arg = '' action = 'del_alert' SELECT DISTINCT signature, count(signature) as sig_cnt, min(timestamp), max(timestamp), sig_name, count(DISTINCT(sid)), count(DISTINCT(ip_src)), count(DISTINCT(ip_dst)) FROM acid_event WHERE 1 = 1 GROUP BY signature, sig_name ORDER BY sig_cnt DESC ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ Secureideas-base-user mailing list Sec...@li... https://lists.sourceforge.net/lists/listinfo/secureideas-base-user |
From: Kevin J. <kjo...@se...> - 2005-11-28 04:42:05
|
On Sun, 2005-11-27 at 22:59 -0500, Ron Murray wrote: > When I try to delete alerts from the "5 most frequent alerts" page (by > selecting the checkbox next to the alerts, selecting "delete alerts" > from the dropdown box under "ACTION", and then hitting the "Selected" > button, the alerts are not deleted and I get an error message like this: >=20 > > No alerts were selected or the Delete alert(s) was not successful >=20 > Output of debug mode is at the bottom of this message. >=20 > I'm using Debian's 'acidbase' package, from the 'testing' distribution. > Anyone have any suggestions? >=20 > Thanks, >=20 > .....Ron Hi- I apologize but we can not support the acidbase package from Debian currently. They have applied patches that have broken a number of features and I have not yet had time to install Debian again and test out what is there.=20 We do have a bug where if you have deleted something and then try to delete something else it fails the first time. But that doesn't sound like what you described. Sorry,=20 Kevin --------------------- BASE Project Lead http://sourceforge.net/projects/secureideas http://base.secureideas.net The next step in IDS analysis! |
From: Ron M. <rj...@rj...> - 2005-11-28 05:04:02
|
Kevin Johnson wrote: > On Sun, 2005-11-27 at 22:59 -0500, Ron Murray wrote: > >>When I try to delete alerts from the "5 most frequent alerts" page (by >>selecting the checkbox next to the alerts, selecting "delete alerts" >>from the dropdown box under "ACTION", and then hitting the "Selected" >>button, the alerts are not deleted and I get an error message like this: >> >> >>>No alerts were selected or the Delete alert(s) was not successful >> >>Output of debug mode is at the bottom of this message. >> >>I'm using Debian's 'acidbase' package, from the 'testing' distribution. >>Anyone have any suggestions? >> >>Thanks, >> >> .....Ron > > > Hi- > > I apologize but we can not support the acidbase package from Debian > currently. They have applied patches that have broken a number of > features and I have not yet had time to install Debian again and test > out what is there. > > We do have a bug where if you have deleted something and then try to > delete something else it fails the first time. But that doesn't sound > like what you described. > > Sorry, > > Kevin Yep, now that I think about it, you're probably right. I was using the original ACID both at work and here at home, and both worked fine until a Debian update a couple of weeks ago. I updated the work machine to use BASE, and everything was fine after that so I assumed it was an ACID problem. However, the work machine is running Debian stable, which currently doesn't have BASE, so I got it running by downloading it from your website and installing manually. No problems. The machine here at home runs Debian testing, so I thought I'd get the same result by just installing the package. Sigh. Apparently not. I'll do a manual install myself and that should probably work ok. I'd file a Debian bug, but experience with this particular maintainer tells me that that would be like talking to a wall, and I can do that much more easily here at home. Sigh again. Sorry to bother you. I should have realised that I'd installed BASE manually on the work machine before I posted. Thanks, .....Ron -- Ron Murray (rj...@rj...) http://www.rjmx.net/~ron GPG Public Key Fingerprint: F2C1 FC47 5EF7 0317 133C D66B 8ADA A3C4 D86C 74DE ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ Secureideas-base-user mailing list Sec...@li... https://lists.sourceforge.net/lists/listinfo/secureideas-base-user |
From: Kevin J. <kjo...@se...> - 2005-11-28 12:18:05
|
On Mon, 2005-11-28 at 00:02 -0500, Ron Murray wrote: > Yep, now that I think about it, you're probably right. I was using the > original ACID both at work and here at home, and both worked fine until > a Debian update a couple of weeks ago. I updated the work machine to use > BASE, and everything was fine after that so I assumed it was an ACID > problem. >=20 > However, the work machine is running Debian stable, which currently > doesn't have BASE, so I got it running by downloading it from your > website and installing manually. No problems. The machine here at home > runs Debian testing, so I thought I'd get the same result by just > installing the package. Sigh. Apparently not. >=20 > I'll do a manual install myself and that should probably work ok. I'd > file a Debian bug, but experience with this particular maintainer tells > me that that would be like talking to a wall, and I can do that much > more easily here at home. Sigh again. >=20 > Sorry to bother you. I should have realised that I'd installed BASE > manually on the work machine before I posted. >=20 > Thanks, >=20 > .....Ron Hi- Not a problem. I am happy to hear that the downloaded version works! <grin> If you need anything with that version just let me know. Kevin |