Snort mailing list archives
RE: Ignored x duplicate alerts (ACID, MySQL, Snort 1.9. x)
From: "Thompson, Jason" <Jason.Thompson () xwave com>
Date: Fri, 14 Mar 2003 11:11:33 -0400
Actually I found the problem :) When I move all the archives from the snort database to snort_archive, and no records are left in snort, it resets the CID to 0. So as records are then added from the sensor to the database, the records start at 1 and increment. Then when trying to move them to snort_archive later, there is obviosuly an existing CID with the same number in the archive, so it cannot be moved. The solution is to NEVER delete or move ALL records from the snort database. Always leave at least one and that way the CID will increment properly. -Jason -----Original Message----- From: Jon [mailto:warchild () spoofed org] Sent: March 13, 2003 11:22 To: FWAdmin Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Ignored x duplicate alerts (ACID, MySQL, Snort 1.9. x) On Thu, Mar 13, 2003 at 10:37:16AM -0400, FWAdmin wrote:
It's me again. Can someone please help me with this? I know I can't be the only one who had this problem :) Added 0 alert(s) to the Alert cache Ignored 17 duplicate alert(s) No alerts were selected or the ARCHIVE-move was not successful Every time I try to move or copy, same message regardless of the number of alerts.
Are you running more than one instance of Snort on a single interface? If so, be sure to set the sensor_name argument to the database output plugin as I've seen this very problem. hth, -jon ------------------------- This e-mail communication (including any or all attachments) is intended only for the use of the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient of this e-mail, any use, review, retransmission, distribution, dissemination, copying, printing, or other use of, or taking of any action in reliance upon this e-mail, is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the original and any copy of this e-mail and any printout thereof, immediately. Your co-operation is appreciated. Le present courriel (y compris toute piece jointe) s'adresse uniquement a son destinataire, qu'il soit une personne ou un organisme, et pourrait comporter des renseignements privilegies ou confidentiels. Si vous n'etes pas le destinataire du courriel, il est interdit d'utiliser, de revoir, de retransmettre, de distribuer, de disseminer, de copier ou d'imprimer ce courriel, d'agir en vous y fiant ou de vous en servir de toute autre facon. Si vous avez recu le present courriel par erreur, priere de communiquer avec l'expediteur et d'eliminer l'original du courriel, ainsi que toute copie electronique ou imprimee de celui-ci, immediatement. Nous sommes reconnaissants de votre collaboration. ------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Ignored x duplicate alerts (ACID, MySQL, Snort 1.9. x) Thompson, Jason (Mar 17)