Multiple instances of sig_name in signature file

[Fraser Hugh <hugh_fraser () dofasco ca>]

I've installed multiple sensors writing to a common data analysis system
using Postgresql as the backend database. Two of the sensors cover the
inside and outside of a firewall. Regularly, the snort processes on the
sensors die, complaining of  multiple instances of a sig_name value in the
signature table, and sure enough they're there. I've traced it down to a
sequence of login in spo_database.c that checks for the existence of a
signature, then creates it if it doesn't exist. Since my sensors often see
the same events (ie. if a request is made from an internal browser with a
questionable URL, both the inside and outside probe see it within
milliseconds of each other). If this is the first occurence of the
signature, chances are both sensors will add it to the signature table. It
seems to me that signature perhaps should be a unique key in the table, and
the code modified to try an insert first and a retrieve if that fails.

> -----Original Message-----
> From: Semerjian, Ohanes [mailto:Semerjian.Ohanes () wcom com au]
> Sent: Wednesday, February 20, 2002 1:26 AM
> To: 'Federico'; Snort-users () lists sourceforge net
> Cc: lorenzo
> Subject: RE: [Snort-users] Real time alerting with multiple sensors
>
>
> let the snort machines log into one machine that run a 
> database either Mysql
> or PostgreSQL
> and run ACID on the same machine that u run the database one.
>
> Best Regards
>
> Ohanes Semerjian
>
> -----Original Message-----
> From: Federico [mailto:egopfe () hotmail com]
> Sent: Wednesday, 13 February 2002 20:08
> To: Snort-users () lists sourceforge net
> Cc: lorenzo
> Subject: [Snort-users] Real time alerting with multiple sensors
>
>
> I've this problem, and this doubt for resolving it...
> witch is the best chioice to have a real time feedback in my 
> scenario ?
> plz tell me wich is the best choice
>
> The Scenario
>
> + About 10 sensors in a routed  MAN.
> + need to log to PostgreSQL for an historical purpose.
> + need to have a realtime feedback.
>
> naturally i want to concentrate logs in one servers, and no 
> to keep them
> distribuited.
>
>
> Solutions for real time feedback:
>
> 1) snmp traps to central server, snmptrapd scripted to send 
> alerts by e-mail
> (anyone knows some program to attach to snmptrapd?)
> 2) syslogd-ng from all sensors to central server, incident.pl 
> running by
> crond every 5 second and alerting by e-mail.
>
> witch is the best solution ?
> anyone has other solutions and/or some programs that can help me ??
>
> thanks in advance.
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users