Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Ignored x duplicate alerts (ACID, MySQL, Snort 1.9. x)

From: FWAdmin <FWAdmin () nbpower com>
Date: Thu, 13 Mar 2003 10:37:16 -0400
It's me again. Can someone please help me with this? I know I can't be the
only one who had this problem :)
 
-----Original Message-----
From: FWAdmin [mailto:FWAdmin () nbpower com] 
Sent: March 5, 2003 14:58
To: Snort-Users
Subject: [Snort-users] Ignored x duplicate alerts (ACID, MySQL, Snort 1.9.x)



Hey guys. New to the list. I am hoping I can get some help. 

I recently implemented a Snort system for deployment in our production
environment. I am testing out to see how it performs and so far I must say I
am impressed. Very impressed. I've used it at home but never on a corporate
network.

Anyway, I am getting these messages. I created the snort_archive database,
and I was successfully archive moving alerts for a period of time, and then
this starts to happen:

Added 0 alert(s) to the Alert cache 
Ignored 17 duplicate alert(s) 
No alerts were selected or the ARCHIVE-move was not successful 
Every time I try to move or copy, same message regardless of the number of
alerts. 

Here is the output of the debug (regular, not extended) with some changes
done to hide info :) : 
============================================================================
========== 
Session Registered
importing SESSION var 'sig'
importing SESSION var 'sig_type'
importing SESSION var 'sig_class'
importing SESSION var 'sig_priority'
importing SESSION var 'ag'
importing SESSION var 'sensor'
importing SESSION var 'time'
importing SESSION var 'time_cnt'
importing SESSION var 'ip_addr'
importing SESSION var 'ip_addr_cnt'
importing SESSION var 'layer4'
importing SESSION var 'ip_field'
importing SESSION var 'ip_field_cnt'
importing SESSION var 'tcp_port'
importing SESSION var 'tcp_port_cnt'
importing SESSION var 'tcp_flags'
importing SESSION var 'tcp_field'
importing SESSION var 'tcp_field_cnt'
importing SESSION var 'udp_port'
importing SESSION var 'udp_port_cnt'
importing SESSION var 'udp_field'
importing SESSION var 'udp_field_cnt'
importing SESSION var 'icmp_field'
importing SESSION var 'icmp_field_cnt'
importing SESSION var 'data'
importing SESSION var 'data_cnt'
importing SESSION var 'data_encode'

         URL: '/acid/acid_stat_alerts.php' (referred by: '
<http://my.sensor/acid/acid_stat_alerts.php>
http://my.sensor/acid/acid_stat_alerts.php&apos; 

         PARAMETERS: ' 
         CLIENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Q312461)

         SERVER: Apache/2.0.44 (Unix) mod_ssl/2.0.44 OpenSSL/0.9.6b
PHP/4.3.0 
         SERVER HW: Linux ids.host 2.4.18-19.7.x #1 Thu Dec 12 07:49:19 EST
2002 i686 
         DATABASE TYPE: mysql  DB ABSTRACTION VERSION: 
         PHP VERSION: 4.3.0  PHP API: apache2filter 
         ACID VERSION: 0.9.6b23 
         SESSION ID: exxxxxxxxxxxxxxxxxxxxxxxxxxxxxx( 5520 bytes ) 
         
Checking for DB abstraction lib in '../adodb/adodb.inc.php'
sensor #1: event.cid = 0, acid_event.cid = 0
sensor #2: event.cid = 232, acid_event.cid = 232
sensor #3: event.cid = 0, acid_event.cid = 0
Added 0 alert(s) to the Alert cache 
==== ACTION ======
context = 2


==== ARCHIVE-move Alerts ========
num_alert = 15
action_sql = FROM acid_event WHERE acid_event.sid > 0 AND (signature='44')
action_op = Selected
action_arg =
action_param =
context = 2
limit_start = -1
limit_offset = -1
using_blobs = 1
Checking for DB abstraction lib in '../adodb/adodb.inc.php'

Gathering elements from 1 alert blobs
0 = [using SQL 15 for blob 44]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='44'
2 - 101
2 - 102
2 - 103
2 - 104
2 - 111
2 - 112
2 - 113
2 - 114
2 - 224
2 - 225
2 - 226
2 - 227
2 - 228
2 - 229
2 - 230
2 - 231
2 - 232
1 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1'
2 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1'
3 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1'
4 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1'
5 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1'
6 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1'
7 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1'
8 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1'
9 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1'
10 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1'
11 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1'
12 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1'
13 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1'
14 = [using SQL 15 for blob ]: SELECT acid_event.sid, acid_event.cid FROM
acid_event WHERE acid_event.sid > 0 AND (signature='44') AND signature='-1'
Ignored 17 duplicate alert(s) 
No alerts were selected or the ARCHIVE-move was not successful 
-------------------------------------
action_cnt = 0
dup_cnt = 17
num_alert = 15
==== ARCHIVE-move Alerts END ========

Valid Canned Query List 
Array 
( 
    [most_frequent] => Array 
        ( 
            [0] => 5 
            [1] => Most Frequent Alerts 
            [2] => occur_d 
        ) 

    [last_alerts] => Array 
        ( 
            [0] => 15 
            [1] => Last Alerts 
            [2] => last_d 
        ) 

) 
Query State
caller = 'last_alerts'
num_result_rows = '15'
sort_order = 'last_d'
current_view = '0'
action_arg = ''
action = 'archive_alert2'
SELECT DISTINCT signature, count(signature) as sig_cnt, min(timestamp),
max(timestamp) , max(timestamp) AS last_timestamp FROM acid_event WHERE
acid_event.sid > 0 AND (signature='44') GROUP BY signature ORDER BY
last_timestamp DESC

Displaying 15 Last Alerts

============================================================================
========= 





Anyway, the only way I could fix it was to delete all the data in
snort_archive. This isn't acceptable as we need historical data for
reporting and trends, as well as analysis.

Can someone help me out? Thanks 

                -Jason 

Jason Thompson 
Security Analyst 
Networks and Communications 
xwave 


------------------------- 
This e-mail communication (including any or all attachments) is intended
only for the use of the person or entity to which it is addressed and may
contain confidential and/or privileged material. If you are not the intended
recipient of this e-mail, any use, review, retransmission,  distribution,
dissemination, copying, printing, or other use of, or taking of any action
in reliance upon this e-mail, is strictly prohibited. If you have received
this e-mail in error, please contact the sender and delete the original and
any copy of this e-mail and any printout thereof, immediately. Your
co-operation is appreciated. 

Le présent courriel (y compris toute pièce jointe) s'adresse uniquement à
son destinataire, qu'il soit une personne ou un organisme, et pourrait
comporter des renseignements privilégiés ou confidentiels. Si vous n'êtes
pas le destinataire du courriel, il est interdit d'utiliser, de revoir, de
retransmettre, de distribuer, de disséminer, de copier ou d'imprimer ce
courriel, d'agir en vous y fiant ou de vous en servir de toute autre façon.
Si vous avez reçu le présent courriel par erreur, prière de communiquer avec
l'expéditeur et d'éliminer l'original du courriel, ainsi que toute copie
électronique ou imprimée de celui-ci, immédiatement. Nous sommes
reconnaissants de votre collaboration. 


------------------------- 
This e-mail communication (including any or all attachments) is intended
only for the use of the person or entity to which it is addressed and may
contain confidential and/or privileged material. If you are not the intended
recipient of this e-mail, any use, review, retransmission,  distribution,
dissemination, copying, printing, or other use of, or taking of any action
in reliance upon this e-mail, is strictly prohibited. If you have received
this e-mail in error, please contact the sender and delete the original and
any copy of this e-mail and any printout thereof, immediately. Your
co-operation is appreciated. 

Le présent courriel (y compris toute pièce jointe) s'adresse uniquement à
son destinataire, qu'il soit une personne ou un organisme, et pourrait
comporter des renseignements privilégiés ou confidentiels. Si vous n'êtes
pas le destinataire du courriel, il est interdit d'utiliser, de revoir, de
retransmettre, de distribuer, de disséminer, de copier ou d'imprimer ce
courriel, d'agir en vous y fiant ou de vous en servir de toute autre façon.
Si vous avez reçu le présent courriel par erreur, prière de communiquer avec
l'expéditeur et d'éliminer l'original du courriel, ainsi que toute copie
électronique ou imprimée de celui-ci, immédiatement. Nous sommes
reconnaissants de votre collaboration.
Previous By Date Next
Previous By Thread Next

Current thread: