Snort mailing list archives
database error duplicate entry 1-whatever for key 1
From: Deb Rice <ecugradproj () yahoo com>
Date: Sun, 18 Jul 2004 15:33:23 -0700 (PDT)
Hello, I have been "playing" with snort in a laboratory environment. I am running nessus scans against my network and watching snort reaction. Here is what I have found about the above error: All errors occurred with the following acid_event: sid=1 (I am assuming sid=sensor id so it may not be the same for every system); cid=xxxxx (xxxxx matching the number after the dash in the "duplicate entry" portion of the error message and the entry before and/or after it); signature=55; sig_name=ssp_bo: Back Orafice Traffic detected (key: 31337); sig_class_id=0; sig_priority=null; timestamp= varies, time of the alert; ip_src= source of attack?? (this is constant in my case because I am testing and I know this to be the op of the attack machine); ip_dest= target machine for the attack...again, this is constant in my case due to the testing environment and is known victim machine in the testing; ip_prot=17; layer4sport= 32911, 33010, 33114, 33210, 33313, 33422, 33515, 33612 (not sure...I would guess this to be source layer 4 port??); layer4_dport=31337 (I would guess this to be the layer 4 destination port ??). My guess is that this error indicates, well, a back orafice attack (or potential of same) and that this type of attack creates the error in the acid database logging?? I am a newbie so these are only guesses, but I do know that this attack signature very consistently generates the error... Best Regards, Deb __________________________________ Do you Yahoo!? Vote for the stars of Yahoo!'s next ad campaign! http://advision.webevents.yahoo.com/yahoo/votelifeengine/ ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- database error duplicate entry 1-whatever for key 1 Deb Rice (Jul 18)