Snort mailing list archives

Previous By Date Next
Previous By Thread Next

1 alert but 2 events in database backend?

From: David Bianco <bianco () jlab org>
Date: Wed, 27 Mar 2002 08:07:53 -0500

Vincent Chen writes:


Dear all,

I am running snort 1.8.4 on FreeBSD and using
postgresql as backend. Recently, I found that every
alert will generate 2 entries in event table. Is this
a bug or I should check my configuration? Version
1.8.3 has the same problem on my system.




It probably means you have the SQL output set to send both logs and
alerts to the database.  Many events trigger as both, but you
generally only want to send alerts to the database.  This is a pretty
common misconfiguration.  Look for lines in snort.conf like:

output database: alert, postgresql, user=snort dbname=snort
output database: log, postgresql, user=snort dbname=snort

You probably have both uncommented.  Just comment out the one that
starts "output database: log" and you'll likely find the problem
has cleared up.

    David

-- 
David J. Bianco, GSEC           <bianco () jlab org>
Thomas Jefferson National Accelerator Facility

     The views expressed herein are soley those of the author and
            not those of SURA/Jefferson Lab or the US DOE.



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: