Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Ignored x duplicate alerts (ACID, MySQL, Snort 1.9. x)

From: "Thompson, Jason" <Jason.Thompson () xwave com>
Date: Fri, 14 Mar 2003 11:11:33 -0400
Actually I found the problem :)

When I move all the archives from the snort database to snort_archive, and
no records are left in snort, it resets the CID to 0. So as records are then
added from the sensor to the database, the records start at 1 and increment.
Then when trying to move them to snort_archive later, there is obviosuly an
existing CID with the same number in the archive, so it cannot be moved.

The solution is to NEVER delete or move ALL records from the snort database.
Always leave at least one and that way the CID will increment properly.

                -Jason


-----Original Message-----
From: Jon [mailto:warchild () spoofed org] 
Sent: March 13, 2003 11:22
To: FWAdmin
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Ignored x duplicate alerts (ACID, MySQL, Snort
1.9. x)


On Thu, Mar 13, 2003 at 10:37:16AM -0400, FWAdmin wrote:

It's me again. Can someone please help me with this? I know I can't be 
the only one who had this problem :)
 
Added 0 alert(s) to the Alert cache
Ignored 17 duplicate alert(s) 
No alerts were selected or the ARCHIVE-move was not successful 
Every time I try to move or copy, same message regardless of the number of
alerts. 


Are you running more than one instance of Snort on a single interface?  If
so, be sure to set the sensor_name argument to the database output plugin as
I've seen this very problem.

hth,

-jon 

------------------------- 
This e-mail communication (including any or all attachments) is intended
only for the use of the person or entity to which it is addressed and may
contain confidential and/or privileged material. If you are not the intended
recipient of this e-mail, any use, review, retransmission,  distribution,
dissemination, copying, printing, or other use of, or taking of any action
in reliance upon this e-mail, is strictly prohibited. If you have received
this e-mail in error, please contact the sender and delete the original and
any copy of this e-mail and any printout thereof, immediately. Your
co-operation is appreciated. 

Le present courriel (y compris toute piece jointe) s'adresse uniquement a
son destinataire, qu'il soit une personne ou un organisme, et pourrait
comporter des renseignements privilegies ou confidentiels. Si vous n'etes
pas le destinataire du courriel, il est interdit d'utiliser, de revoir, de
retransmettre, de distribuer, de disseminer, de copier ou d'imprimer ce
courriel, d'agir en vous y fiant ou de vous en servir de toute autre facon.
Si vous avez recu le present courriel par erreur, priere de communiquer avec
l'expediteur et d'eliminer l'original du courriel, ainsi que toute copie
electronique ou imprimee de celui-ci, immediatement. Nous sommes
reconnaissants de votre collaboration. 



-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: