select signature,count(*) as cnt,inet_ntoa(ip_src) from event,iphdr where event.cid=iphdr.cid and event.sid=iphdr.sid group by ip_src order by cnt;

Good!
http://sgros.blogspot.tw/2012/07/querying-snort-sql-database.html