RE: Starting and Stopping Snort feeding Mysql

["James M. Driskell" <jdriskell () ups edu>]

Ken,

I did have 3 entries in the sensor table, 1 for snort1, 1 for snort2 and
1 for unknown.  The unknown sid is the problem.

I run a cron job on each sensor that stops snort, dumps the alert and
scan.log files, recreates the files and restarts snort.  I think I'm
shooting myself in the foot because the 2 cron jobs run at the same
time.  I'll stagger the time and see if the problem goes away.

Thanks for the input.

Jim Driskell

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Kenneth G.
Arnold
Sent: Thursday, February 06, 2003 6:59 AM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Starting and Stopping Snort feeding Mysql

I am confused.  The sid in the event table corresponds to the sensor
number.  You say you have two sensors but the sid value indicates that
this is sensor #3.  Did you have another sensor running at some point
that
is not running now?

Please login to mysql, select the snort database and perform a "select *
from sensor;" command.  This will show which hosts correspond to which
sid
values.  What sid does the sensor producing these problems have?  Is
this
host listed twice in the sensor table with two different sids? Why do
you
have three sid values and only two sensors?

Ken

On Wed, 5 Feb 2003, James M. Driskell wrote:

> Hello,
>
>
>
> I'm running 2 snort sensors feeding a mysql database on another box.
I
> get the following errors periodically from either box:
>
>
>
> Feb  5 14:31:40 snort1 snort: database: mysql_error: Duplicate entry
> '3-4958' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp)
> VALUES ('3', '4958', '5', '2003-02-05 14:31:40-08')
>
> Feb  5 14:31:50 snort1 snort: database: mysql_error: Duplicate entry
> '3-4959' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp)
> VALUES ('3', '4959', '5', '2003-02-05 14:31:50-08')
>
>
>
> I can clear the problem by stopping and restarting the offending snort
> box, but I'd rather fix the problem.  I also note that I get an
unknown
> sensor when I restart snort.
>
>
>
> I've had to stop and start snort daily because the local alert and
> scan.logs tend to run me out of disk space on the snort boxes.  I
guess
> I need to invest in new hd's but until then, can anyone help me fix
this
> problem.
>
>
>
> Thanks,
>
>
>
> Jim Driskell
>
> University of Puget Sound


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users