![snort logo](/images/snort-logo.png)
Snort mailing list archives
Duplicate alerts
From: "John Creegan" <jcreegan () questarweb com>
Date: Wed, 04 Feb 2004 09:51:03 -0600
I'm running snort 2.0.4 on a Sun SPARC running Solaris 8. I'm also running barnyard and ACID. I'm seeing duplicate entry warnings for key 1 from ACID. I've been through the archives, and though there does not appear to be a fix published, there is the statement that this is because there is more than one process trying to send the same alert to the ACID DB. So: Snort is outputting to the unified alert file ONLY (I've been careful with the config file), and barnyard is reading from that unified alert file. When snort is running and barnyard is not, no new alerts appear in ACID, just like I'd expect, so I've eliminated the possibility that snort is feeding the DB directly. Start barnyard, start seeing duplicate warnings. One thing I'm wondering about: when I start barnyard, it tells me it's loading dp_alert (which is fine), but it also says it's loading dp_log and dp_stream_stat as well. Then it says it's loading The Fast Alert output plugin, the AlertSyslog, Log Dump, LogPcap, AcidDb, and alertCSV plugins as well. And this all happens BEFORE barnyard parses the barnyard.conf file. Since only the snort_unified.alert file exists, there's nothing for the other data processors ro read, and I (for the moment) don't care about any of the output plugins except AcidDB. It seems not to matter whether or not, after parsing the barnyard.conf file, barnyard shuts down unused data processors and output plugins if there is only one file as a source of alert data. I'm wondering whether anyone else has seen the same thing. I don't recall seeing duplicate warnings in ACID until I started using barnyard. This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure,copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Duplicate alerts John Creegan (Feb 04)