Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Duplicate key errors in ACID

From: "John Creegan" <jcreegan () questarweb com>
Date: Tue, 10 Feb 2004 10:16:53 -0600
I'm working on a problem I'm seeing in ACID, "Database ERROR:Database
ERROR:Duplicate entry '1-1' for key 1".  Here's what I've discovered:

A bit of background:
     Solaris 8 on a Sun SPARC
     Snort 2.0.4
     Barnyard 0.1.0 (Build 17)     
     MySQL 4.0.14     
     ACID 0.9.6b23

     1. I only see duplicates if snort outputs with the unified alert
facility:
(from my snort.conf file)
output alert_unified: filename snort_unified.alert, limit 128

     2. I do not see duplicate if snort outputs with the log facility:

output log_unified: filename snort_unified.log, limit 128

     3. In both cases, it's barnyard loading the DB.

     4. It's only one or the other.  I'm not using both at the same
time.

Note that the error message I mentioned above is a result from the very
first alert going into a clean DB, all tables other than application
tables are emptied.

I've been in the ACID PHP pages and made all the SELECT's in the
acid_cache page "DISTINCT", but no joy.  This was a stretch anyway.

I've read lots and lots of documentation on the differences between the
alert and log facilities.  My understanding is that both enter events
into the MySQL based on the rules applied, however the log facility will
also log to the DB the offending packet payload.

When using the log facility, I lose portscan alerts.  The number of
events I get drops dramatically.  I don't think I believe my current
understanding.

Can anyone explain why, when invoking of the same rulesets, I get
differing results in the DB?

Use alert, get more event data (including portscans), also get
duplicates.
Use log, no duplicates, fewer events reported.

Choices, choices...


This message (including any attachments) contains confidential 
information intended for a specific individual and purpose, 
and is protected by law.  If you are not the intended recipient,
you should delete this message and are hereby notified that any 
disclosure,copying, or distribution of this message, or the taking 
of any action based on it, is strictly prohibited.



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: