Snort mailing list archives
Ignored x duplicate alerts (ACID, MySQL, Snort 1.9.x)
From: FWAdmin <FWAdmin () nbpower com>
Date: Wed, 5 Mar 2003 14:58:13 -0400
Hey guys. New to the list. I am hoping I can get some help. I recently implemented a Snort system for deployment in our production environment. I am testing out to see how it performs and so far I must say I am impressed. Very impressed. I've used it at home but never on a corporate network. Anyway, I am getting these messages. I created the snort_archive database, and I was successfully archive moving alerts for a period of time, and then this starts to happen: Added 0 alert(s) to the Alert cache Ignored 17 duplicate alert(s) No alerts were selected or the ARCHIVE-move was not successful Every time I try to move or copy, same message regardless of the number of alerts. Here is the output of the debug (regular, not extended) with some changes done to hide info :) : ============================================================================ ========== Session Registered importing SESSION var 'sig' importing SESSION var 'sig_type' importing SESSION var 'sig_class' importing SESSION var 'sig_priority' importing SESSION var 'ag' importing SESSION var 'sensor' importing SESSION var 'time' importing SESSION var 'time_cnt' importing SESSION var 'ip_addr' importing SESSION var 'ip_addr_cnt' importing SESSION var 'layer4' importing SESSION var 'ip_field' importing SESSION var 'ip_field_cnt' importing SESSION var 'tcp_port' importing SESSION var 'tcp_port_cnt' importing SESSION var 'tcp_flags' importing SESSION var 'tcp_field' importing SESSION var 'tcp_field_cnt' importing SESSION var 'udp_port' importing SESSION var 'udp_port_cnt' importing SESSION var 'udp_field' importing SESSION var 'udp_field_cnt' importing SESSION var 'icmp_field' importing SESSION var 'icmp_field_cnt' importing SESSION var 'data' importing SESSION var 'data_cnt' importing SESSION var 'data_encode' URL: '/acid/acid_stat_alerts.php' (referred by: 'http://my.sensor/acid/acid_stat_alerts.php <http://my.sensor/acid/acid_stat_alerts.php> ' PARAMETERS: ' CLIENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Q312461) SERVER: Apache/2.0.44 (Unix) mod_ssl/2.0.44 OpenSSL/0.9.6b PHP/4.3.0 SERVER HW: Linux ids.host 2.4.18-19.7.x #1 Thu Dec 12 07:49:19 EST 2002 i686 DATABASE TYPE: mysql DB ABSTRACTION VERSION: PHP VERSION: 4.3.0 PHP API: apache2filter ACID VERSION: 0.9.6b23 SESSION ID: exxxxxxxxxxxxxxxxxxxxxxxxxxxxxx( 5520 bytes ) Checking for DB abstraction lib in '../adodb/adodb.inc.php' sensor #1: event.cid = 0, acid_event.cid = 0 sensor #2: event.cid = 232, acid_event.cid = 232 sensor #3: event.cid = 0, acid_event.cid = 0 Added 0 alert(s) to the Alert cache ==== ACTION ====== context = 2 ==== ARCHIVE-move Alerts ======== num_alert = 15 action_sql = FROM acid_event WHERE acid_event.sid > 0 AND (signature='44') action_op = Selected action_arg = action_param = context = 2 limit_start = -1 limit_offset = -1 using_blobs = 1 Checking for DB abstraction lib in '../adodb/adodb.inc.php' Gathering elements from 1 alert blobs 0 = [using SQL 15 for blob 44]: SELECT acid_event.sid, acid_event.cid FROM acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='44' 2 - 101 2 - 102 2 - 103 2 - 104 2 - 111 2 - 112 2 - 113 2 - 114 2 - 224 2 - 225 2 - 226 2 - 227 2 - 228 2 - 229 2 - 230 2 - 231 2 - 232 1 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1' 2 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1' 3 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1' 4 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1' 5 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1' 6 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1' 7 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1' 8 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1' 9 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1' 10 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1' 11 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1' 12 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1' 13 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1' 14 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1' Ignored 17 duplicate alert(s) No alerts were selected or the ARCHIVE-move was not successful ------------------------------------- action_cnt = 0 dup_cnt = 17 num_alert = 15 ==== ARCHIVE-move Alerts END ======== Valid Canned Query List Array ( [most_frequent] => Array ( [0] => 5 [1] => Most Frequent Alerts [2] => occur_d ) [last_alerts] => Array ( [0] => 15 [1] => Last Alerts [2] => last_d ) ) Query State caller = 'last_alerts' num_result_rows = '15' sort_order = 'last_d' current_view = '0' action_arg = '' action = 'archive_alert2' SELECT DISTINCT signature, count(signature) as sig_cnt, min(timestamp), max(timestamp) , max(timestamp) AS last_timestamp FROM acid_event WHERE acid_event.sid > 0 AND (signature='44') GROUP BY signature ORDER BY last_timestamp DESC Displaying 15 Last Alerts ============================================================================ ========= Anyway, the only way I could fix it was to delete all the data in snort_archive. This isn't acceptable as we need historical data for reporting and trends, as well as analysis. Can someone help me out? Thanks -Jason Jason Thompson Security Analyst Networks and Communications xwave ------------------------- This e-mail communication (including any or all attachments) is intended only for the use of the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient of this e-mail, any use, review, retransmission, distribution, dissemination, copying, printing, or other use of, or taking of any action in reliance upon this e-mail, is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the original and any copy of this e-mail and any printout thereof, immediately. Your co-operation is appreciated. Le present courriel (y compris toute piece jointe) s'adresse uniquement a son destinataire, qu'il soit une personne ou un organisme, et pourrait comporter des renseignements privilegies ou confidentiels. Si vous n'etes pas le destinataire du courriel, il est interdit d'utiliser, de revoir, de retransmettre, de distribuer, de disseminer, de copier ou d'imprimer ce courriel, d'agir en vous y fiant ou de vous en servir de toute autre facon. Si vous avez recu le present courriel par erreur, priere de communiquer avec l'expediteur et d'eliminer l'original du courriel, ainsi que toute copie electronique ou imprimee de celui-ci, immediatement. Nous sommes reconnaissants de votre collaboration.
Current thread:
- Ignored x duplicate alerts (ACID, MySQL, Snort 1.9.x) FWAdmin (Mar 05)