Snort mailing list archives
RE: Double logging
From: "Selder, Patrick [NCSBE - Non JJ]" <PSELDER () ncsbe jnj com>
Date: Wed, 25 Jul 2001 07:58:40 +0200
What preprocessors do you have turned on? I have frag2, stream4, stream4_reassemble, unicode, rpc_decode, bo, telnet_decode, portscan, portscan_ignorehosts and arpspoof turned on. Are all the double logged packets TCP? Do you get double logged packets for other protocols? I get double logged packets for TCP and ICMP no UDP (yet). Patrick
I'm getting all alerts double logged in the mysql database. When I examen the contents they're exactly the same. Even the sequence number is the same. I tested with a single packet that triggers a rule. The packet gets logged twice. In the firewall logs I noticed only one packet being blocked so I had the idea that one packet slipped through. After searching I came to the conclusion this wasn't the case. So it must be with snort -> mysql is guess. I'm running snort 1.8-1 beta 2 build 44 with logging for log and alert to mysql on a red-hat 7.0 box. Reporting is via acid and demarc. Any idea's where to look? Patrick
Current thread:
- Double logging Selder, Patrick [NCSBE - Non JJ] (Jul 24)
- Re: Double logging Martin Roesch (Jul 24)
- <Possible follow-ups>
- RE: Double logging Selder, Patrick [NCSBE - Non JJ] (Jul 24)
- Re: Double logging Martin Roesch (Jul 29)