Snort mailing list archives

RE: Double logging

From: "Selder, Patrick [NCSBE - Non JJ]" <PSELDER () ncsbe jnj com>
Date: Wed, 25 Jul 2001 07:58:40 +0200


What preprocessors do you have turned on?  

I have frag2, stream4, stream4_reassemble, unicode, rpc_decode, bo,
telnet_decode, portscan, portscan_ignorehosts and arpspoof turned on.

Are all the double logged packets TCP?  Do you get double logged packets for
other protocols?
I get double logged packets for TCP and ICMP no UDP (yet).

Patrick

I'm getting all alerts double logged in the mysql database. When I
examen the contents they're exactly the same.
Even the sequence number is the same.

I tested with a single packet that triggers a rule. The packet gets
logged twice.
In the firewall logs I noticed only one packet being blocked so I had
the idea that one packet slipped through. After searching I came to
the conclusion this wasn't the case. So it must be with snort -> mysql
is guess.

I'm running snort 1.8-1 beta 2 build 44 with logging for log and alert
to mysql on a red-hat 7.0 box. Reporting is via acid and demarc.

Any idea's where to look?

Patrick

Current thread:

Double logging Selder, Patrick [NCSBE - Non JJ] (Jul 24)
- Re: Double logging Martin Roesch (Jul 24)
- <Possible follow-ups>
- RE: Double logging Selder, Patrick [NCSBE - Non JJ] (Jul 24)
  - Re: Double logging Martin Roesch (Jul 29)