[Oisf-users] Strange Alerts with sig_id=1 and gen_id=2

Shane Boissevain shaneboissevain at gmail.com
Tue Nov 15 22:40:20 UTC 2016


YOU NAILED IT! In less than hour from my original post (I love this
community :-D)

I was able to confirm that this was the cause by writing a dummy alert to
trip on visits to google.com. Placing tag:session,2,packets; into the alert
causes 2 additional events to enter the unified2 file, both with sid: 1 and
gen: 2, as expected.

So now that i know why it's happening i can move on with my life.

Barnyard2 wasn't actually having any problems, I'm fairly certain that a
standard installation of barnyard2 and suricata would roll right through
this no issues. It was actually a trigger I've got running in my database
that couldn't join on the generator 2 in the alert, which was causing the

err barnyard2: ERROR database: database: postgresql_error: ERROR:  null
value in column "sig_gid" violates not-null constraint

Shane Boissevain
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161115/14de3bb0/attachment-0002.html>

More information about the Oisf-users mailing list