[Oisf-users] Strange Alerts with sig_id=1 and gen_id=2
Shane Boissevain
shaneboissevain at gmail.com
Tue Nov 15 22:40:20 UTC 2016
Jason,
YOU NAILED IT! In less than hour from my original post (I love this
community :-D)
I was able to confirm that this was the cause by writing a dummy alert to
trip on visits to google.com. Placing tag:session,2,packets; into the alert
causes 2 additional events to enter the unified2 file, both with sid: 1 and
gen: 2, as expected.
So now that i know why it's happening i can move on with my life.
Barnyard2 wasn't actually having any problems, I'm fairly certain that a
standard installation of barnyard2 and suricata would roll right through
this no issues. It was actually a trigger I've got running in my database
that couldn't join on the generator 2 in the alert, which was causing the
following:
err barnyard2: ERROR database: database: postgresql_error: ERROR: null
value in column "sig_gid" violates not-null constraint
Sincerely,
Shane Boissevain
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161115/14de3bb0/attachment-0002.html>
More information about the Oisf-users
mailing list