Snort mailing list archives
Multiple instances of sig_name in signature file
From: Fraser Hugh <hugh_fraser () dofasco ca>
Date: Wed, 20 Feb 2002 14:26:53 -0500
I've installed multiple sensors writing to a common data analysis system using Postgresql as the backend database. Two of the sensors cover the inside and outside of a firewall. Regularly, the snort processes on the sensors die, complaining of multiple instances of a sig_name value in the signature table, and sure enough they're there. I've traced it down to a sequence of login in spo_database.c that checks for the existence of a signature, then creates it if it doesn't exist. Since my sensors often see the same events (ie. if a request is made from an internal browser with a questionable URL, both the inside and outside probe see it within milliseconds of each other). If this is the first occurence of the signature, chances are both sensors will add it to the signature table. It seems to me that signature perhaps should be a unique key in the table, and the code modified to try an insert first and a retrieve if that fails.
-----Original Message----- From: Semerjian, Ohanes [mailto:Semerjian.Ohanes () wcom com au] Sent: Wednesday, February 20, 2002 1:26 AM To: 'Federico'; Snort-users () lists sourceforge net Cc: lorenzo Subject: RE: [Snort-users] Real time alerting with multiple sensors let the snort machines log into one machine that run a database either Mysql or PostgreSQL and run ACID on the same machine that u run the database one. Best Regards Ohanes Semerjian -----Original Message----- From: Federico [mailto:egopfe () hotmail com] Sent: Wednesday, 13 February 2002 20:08 To: Snort-users () lists sourceforge net Cc: lorenzo Subject: [Snort-users] Real time alerting with multiple sensors I've this problem, and this doubt for resolving it... witch is the best chioice to have a real time feedback in my scenario ? plz tell me wich is the best choice The Scenario + About 10 sensors in a routed MAN. + need to log to PostgreSQL for an historical purpose. + need to have a realtime feedback. naturally i want to concentrate logs in one servers, and no to keep them distribuited. Solutions for real time feedback: 1) snmp traps to central server, snmptrapd scripted to send alerts by e-mail (anyone knows some program to attach to snmptrapd?) 2) syslogd-ng from all sensors to central server, incident.pl running by crond every 5 second and alerting by e-mail. witch is the best solution ? anyone has other solutions and/or some programs that can help me ?? thanks in advance. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Multiple instances of sig_name in signature file Fraser Hugh (Feb 20)