Snort mailing list archives
Ignored x duplicate alerts (ACID, MySQL, Snort 1.9.x)
From: FWAdmin <FWAdmin () nbpower com>
Date: Wed, 5 Mar 2003 14:58:13 -0400
Hey guys. New to the list. I am hoping I can get some help.
I recently implemented a Snort system for deployment in our production
environment. I am testing out to see how it performs and so far I must say I
am impressed. Very impressed. I've used it at home but never on a corporate
network.
Anyway, I am getting these messages. I created the snort_archive database,
and I was successfully archive moving alerts for a period of time, and then
this starts to happen:
Added 0 alert(s) to the Alert cache
Ignored 17 duplicate alert(s)
No alerts were selected or the ARCHIVE-move was not successful
Every time I try to move or copy, same message regardless of the number of
alerts.
Here is the output of the debug (regular, not extended) with some changes
done to hide info :) :
============================================================================
==========
Session Registered
importing SESSION var 'sig'
importing SESSION var 'sig_type'
importing SESSION var 'sig_class'
importing SESSION var 'sig_priority'
importing SESSION var 'ag'
importing SESSION var 'sensor'
importing SESSION var 'time'
importing SESSION var 'time_cnt'
importing SESSION var 'ip_addr'
importing SESSION var 'ip_addr_cnt'
importing SESSION var 'layer4'
importing SESSION var 'ip_field'
importing SESSION var 'ip_field_cnt'
importing SESSION var 'tcp_port'
importing SESSION var 'tcp_port_cnt'
importing SESSION var 'tcp_flags'
importing SESSION var 'tcp_field'
importing SESSION var 'tcp_field_cnt'
importing SESSION var 'udp_port'
importing SESSION var 'udp_port_cnt'
importing SESSION var 'udp_field'
importing SESSION var 'udp_field_cnt'
importing SESSION var 'icmp_field'
importing SESSION var 'icmp_field_cnt'
importing SESSION var 'data'
importing SESSION var 'data_cnt'
importing SESSION var 'data_encode'
URL: '/acid/acid_stat_alerts.php' (referred by:
'http://my.sensor/acid/acid_stat_alerts.php
<http://my.sensor/acid/acid_stat_alerts.php> '
PARAMETERS: '
CLIENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Q312461)
SERVER: Apache/2.0.44 (Unix) mod_ssl/2.0.44 OpenSSL/0.9.6b
PHP/4.3.0
SERVER HW: Linux ids.host 2.4.18-19.7.x #1 Thu Dec 12 07:49:19 EST
2002 i686
DATABASE TYPE: mysql DB ABSTRACTION VERSION:
PHP VERSION: 4.3.0 PHP API: apache2filter
ACID VERSION: 0.9.6b23
SESSION ID: exxxxxxxxxxxxxxxxxxxxxxxxxxxxxx( 5520 bytes )
Checking for DB abstraction lib in '../adodb/adodb.inc.php'
sensor #1: event.cid = 0, acid_event.cid = 0
sensor #2: event.cid = 232, acid_event.cid = 232
sensor #3: event.cid = 0, acid_event.cid = 0
Added 0 alert(s) to the Alert cache
==== ACTION ======
context = 2
==== ARCHIVE-move Alerts ========
num_alert = 15
action_sql = FROM acid_event WHERE acid_event.sid > 0 AND (signature='44')
action_op = Selected
action_arg =
action_param =
context = 2
limit_start = -1
limit_offset = -1
using_blobs = 1
Checking for DB abstraction lib in '../adodb/adodb.inc.php'
Gathering elements from 1 alert blobs
0 = [using SQL 15 for blob 44]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='44'
2 - 101
2 - 102
2 - 103
2 - 104
2 - 111
2 - 112
2 - 113
2 - 114
2 - 224
2 - 225
2 - 226
2 - 227
2 - 228
2 - 229
2 - 230
2 - 231
2 - 232
1 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1'
2 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1'
3 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1'
4 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1'
5 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1'
6 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1'
7 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1'
8 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1'
9 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1'
10 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1'
11 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1'
12 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1'
13 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1'
14 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1'
Ignored 17 duplicate alert(s)
No alerts were selected or the ARCHIVE-move was not successful
-------------------------------------
action_cnt = 0
dup_cnt = 17
num_alert = 15
==== ARCHIVE-move Alerts END ========
Valid Canned Query List
Array
(
[most_frequent] => Array
(
[0] => 5
[1] => Most Frequent Alerts
[2] => occur_d
)
[last_alerts] => Array
(
[0] => 15
[1] => Last Alerts
[2] => last_d
)
)
Query State
caller = 'last_alerts'
num_result_rows = '15'
sort_order = 'last_d'
current_view = '0'
action_arg = ''
action = 'archive_alert2'
SELECT DISTINCT signature, count(signature) as sig_cnt, min(timestamp),
max(timestamp) , max(timestamp) AS last_timestamp FROM acid_event WHERE
acid_event.sid > 0 AND (signature='44') GROUP BY signature ORDER BY
last_timestamp DESC
Displaying 15 Last Alerts
============================================================================
=========
Anyway, the only way I could fix it was to delete all the data in
snort_archive. This isn't acceptable as we need historical data for
reporting and trends, as well as analysis.
Can someone help me out? Thanks
-Jason
Jason Thompson
Security Analyst
Networks and Communications
xwave
-------------------------
This e-mail communication (including any or all attachments) is intended
only for the use of the person or entity to which it is addressed and may
contain confidential and/or privileged material. If you are not the intended
recipient of this e-mail, any use, review, retransmission, distribution,
dissemination, copying, printing, or other use of, or taking of any action
in reliance upon this e-mail, is strictly prohibited. If you have received
this e-mail in error, please contact the sender and delete the original and
any copy of this e-mail and any printout thereof, immediately. Your
co-operation is appreciated.
Le present courriel (y compris toute piece jointe) s'adresse uniquement a
son destinataire, qu'il soit une personne ou un organisme, et pourrait
comporter des renseignements privilegies ou confidentiels. Si vous n'etes
pas le destinataire du courriel, il est interdit d'utiliser, de revoir, de
retransmettre, de distribuer, de disseminer, de copier ou d'imprimer ce
courriel, d'agir en vous y fiant ou de vous en servir de toute autre facon.
Si vous avez recu le present courriel par erreur, priere de communiquer avec
l'expediteur et d'eliminer l'original du courriel, ainsi que toute copie
electronique ou imprimee de celui-ci, immediatement. Nous sommes
reconnaissants de votre collaboration.
Current thread:
- Ignored x duplicate alerts (ACID, MySQL, Snort 1.9.x) FWAdmin (Mar 05)