Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Duplicate alerts

From: "John Creegan" <jcreegan () questarweb com>
Date: Wed, 04 Feb 2004 09:51:03 -0600
I'm running snort 2.0.4 on a Sun SPARC running Solaris 8.  I'm also
running barnyard and ACID.

I'm seeing duplicate entry warnings for key 1 from ACID.  I've been
through the archives, and though there does not appear to be a fix
published, there is the statement that this is because there is more
than one process trying to send the same alert to the ACID DB.  So:

Snort is outputting to the unified alert file ONLY (I've been careful
with the config file), and barnyard is reading from that unified alert
file.

When snort is running and barnyard is not, no new alerts appear in
ACID, just like I'd expect, so I've eliminated the possibility that
snort is feeding the DB directly.

Start barnyard, start seeing duplicate warnings.

One thing I'm wondering about:  when I start barnyard, it tells me it's
loading dp_alert (which is fine), but it also says it's loading dp_log
and dp_stream_stat as well.  Then it says it's loading The Fast Alert
output plugin, the AlertSyslog, Log Dump, LogPcap, AcidDb, and alertCSV
plugins as well.  And this all happens BEFORE barnyard parses the
barnyard.conf file.

Since only the snort_unified.alert file exists, there's nothing for the
other data processors ro read, and I (for the moment) don't care about
any of the output plugins except AcidDB.

It seems not to matter whether or not, after parsing the barnyard.conf
file, barnyard shuts down unused data processors and output plugins if
there is only one file as a source of alert data.

I'm wondering whether anyone else has seen the same thing.  I don't
recall seeing duplicate warnings in ACID until I started using
barnyard.


This message (including any attachments) contains confidential 
information intended for a specific individual and purpose, 
and is protected by law.  If you are not the intended recipient,
you should delete this message and are hereby notified that any 
disclosure,copying, or distribution of this message, or the taking 
of any action based on it, is strictly prohibited.



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: