search & signatures strings

BASE-user
Chris Ryan
2008-06-16
2013-06-03
  • Chris Ryan

    Chris Ryan - 2008-06-16

    Hi,

    i've a problem using the search functionality for signatures.

    The configs looks as follows:
    > * Should a combo box with possible signatures be displayed on the
    > * search form. (Requires Javascript)
    > *   0 : disabled
    > *   1 : show only non pre-processor signatures (e.g., ignore portscans)
    > *   2 : show all signatures
    > */
    >$use_sig_list = 1;

    When i visit the search site, and pick a signature out of that drop down box (and change nothing else on the screen), i always get the hole database as a search result. The signature search thing isn't even included in that small box for the meta criteria.

    As a workaround, i can use the predefined searches "most recent alerts" or "most frequent alert". Both are searching for signature groups with a number, not a string. But that number isn't the sid:

    search with string from drop down: IMAP SSLv2 openssl get shared ciphers overflow (sid=8438)
    search with "most recent alerts" searches for: "exactly = 6173"
       
    Can anybody give me a hint where BASE gets these numbers from, or, how to get the string-based search work?

    thanks in advance,
    chris.
           

     
    • Micah Gersten

      Micah Gersten - 2008-06-17

      It might be the sig_sid.  That's the unique identifier for the signature.  The sig_id whatever number signature it is in your DB,

      To search by string, select roughly from the drop down that says signature.  It'll do a like search

      Micah

       
    • Chris Ryan

      Chris Ryan - 2008-06-17

      Hi,

      >It might be the sig_sid.
      It seems to be the sig_id from the signature table.

      >To search by string, select roughly from the drop down that says signature. It'll do a like search
      Not in my case. Using these search parameters gets me the hole database as search result.

      When i select "roughly" from that drop down, and type the search string by hand in the text field right of "roughly", then i get a valid search result. But only using the signature drop down under the "roughly" by selecting a string from the list does not work. Then, that selection is ignored and the search result is all the data.

      Is that "signature" drop down think just a kind of reminder or should it work the search, too?

      cheers, chris.

       
    • Juergen Leising

      Juergen Leising - 2008-06-17

      Hi Chris,

      cookies are enabled?

      Bye, bye

      Juergen

       
    • Micah Gersten

      Micah Gersten - 2008-06-17

      The list is a list of alert classifications where "roughly" actually does a text search of the signature name.  If you select roughly, you have to give it a criterion to search by.

      Micah

       
    • Chris Ryan

      Chris Ryan - 2008-06-18

      Hi,

      cookies are enabled.

      Additionaly, even "exactly" and some string from the drop down box does not work at all.
      The search criteria field is empty, and i get back all the database values.

      bye, Chris.

       
    • Juergen Leising

      Juergen Leising - 2008-06-26

      Hi Chris,

      there were indeed some bugs around the search form.  I believe, they are fixed now in CVS.
      So, please update, and tell us whether this
      is resolved for you, as well, or whether there have now been triggered some nasty
      side effects.

      Bye, bye

      Juergen

       
      • Chris Ryan

        Chris Ryan - 2008-06-30

        Hi,

        > So, please update, and tell us whether this is resolved for you, as well,
        It is. Works like a charm.
        Once again, thank you very much!

        bye, Chris.

         

Log in to post a comment.