Snort mailing list archives
Duplicate key errors in ACID
From: "John Creegan" <jcreegan () questarweb com>
Date: Tue, 10 Feb 2004 10:16:53 -0600
I'm working on a problem I'm seeing in ACID, "Database ERROR:Database ERROR:Duplicate entry '1-1' for key 1". Here's what I've discovered: A bit of background: Solaris 8 on a Sun SPARC Snort 2.0.4 Barnyard 0.1.0 (Build 17) MySQL 4.0.14 ACID 0.9.6b23 1. I only see duplicates if snort outputs with the unified alert facility: (from my snort.conf file) output alert_unified: filename snort_unified.alert, limit 128 2. I do not see duplicate if snort outputs with the log facility: output log_unified: filename snort_unified.log, limit 128 3. In both cases, it's barnyard loading the DB. 4. It's only one or the other. I'm not using both at the same time. Note that the error message I mentioned above is a result from the very first alert going into a clean DB, all tables other than application tables are emptied. I've been in the ACID PHP pages and made all the SELECT's in the acid_cache page "DISTINCT", but no joy. This was a stretch anyway. I've read lots and lots of documentation on the differences between the alert and log facilities. My understanding is that both enter events into the MySQL based on the rules applied, however the log facility will also log to the DB the offending packet payload. When using the log facility, I lose portscan alerts. The number of events I get drops dramatically. I don't think I believe my current understanding. Can anyone explain why, when invoking of the same rulesets, I get differing results in the DB? Use alert, get more event data (including portscans), also get duplicates. Use log, no duplicates, fewer events reported. Choices, choices... This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure,copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Duplicate key errors in ACID John Creegan (Feb 10)