Re: [Shoki-users] chroot - make db
Status: Beta
Brought to you by:
spb
From: Jaliya B. <ja...@sl...> - 2007-10-02 04:04:14
|
Dear Stephen, Thank you very much for the infos. Pl forgive me for troubling you. I can understand how busy you are. Actually I did my best first, but due to little knowledge I'm having on Unix environment I could not even try running it manually. So I'll try it first and let you know if I can not fix it only (I'm grabbing Unix environment fast). Actually before going for implementation I want to test whether it is possible to get Shoki logs with the vulnerability references: that is if an attack is going on, will it be possible for Shoki to log that event referring to some vulnerability number such as (CVE, Bugtraq etc.) without having the data in 'Vulnerabilities' table since Snort rules having those references or else will Shoki work without data in this table? This is the problem I am having. Ok let me give a try, if I want to re-write the script to load cve data, from where should I start? Regards, Jaliya =============== Jaliya Bandara Engineer - SAIII Internet Data Center, Sri Lanka Telecom PLC. 94 716 816 425 -----Original Message----- From: Stephen P. Berry [mailto:sp...@me...] Sent: Tuesday, October 02, 2007 6:29 AM To: Jaliya Bandara Cc: sho...@li... Subject: Re: [Shoki-users] chroot - make db -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >. 'importer' does not populate the db tables. >o All the shoki*.gz go to >'/usr/local/shoki/central/localhost.localdomain/corrupt'. where can it be >the problem? Have you tried running the importer script by hand, and if so does it report any errors. If it doesn't, try running lexer(1) by hand on or more of the dump files. Without any additional information, it's difficult to guess what the problem might be. >. it's not possible to insert all the CVE entries using 'cve2shoki >-f'. http://cve.mitre.org/ does not have CVE & CAN .csv files any more. Only >'allitems.csv' with both 'cve' & 'can' together. In this file there are more >than 40k entries, but only about 1762 loaded into the 'vulnerabilities' >table. It says other records are having syntax errors such as '. Replacing >those with spaces did not work. This probably won't be fixed for shoki 0.3.0 . In the soon-to-be-released shoki 1.0 importing foreign data formats (like CVE and CAN) are handled by their own loadable modules. In 0.3.0, it's just hard-coded into a script. So the only way to make it work in 0.3.0 would be to re-write the script itself. If you want to undertake a re-write of the script, I'd be glad to incorporate it into the 0.3.0 source and make the update available via sourceforge. Otherwise, it may or may not get fixed in 0.3.0, depending on how busy I am. - -spb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (OpenBSD) iD8DBQFHAZfQP32VcPQQS7wRAgtgAKCQP4mTptSfnVhGuDH5P77ylCJylQCaA9zo 1gyrKdXzRfjFwzn0iZnY3eo= =36KF -----END PGP SIGNATURE----- |