Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Duplicate entries

From: "John Creegan" <jcreegan () questarweb com>
Date: Fri, 30 Jan 2004 13:44:41 -0600
I'm still running snort 2.0.4, and I'm getting a lot of the same
messages too.

When I first built snort it wanted the sensor ID of 1, which I ran with
for about the 1st 100,000 alerts.  Through various changes to
environment, etc, I ended up with the sensor ID of 2, then 3, which I
ran up to about 350,000 alerts.

When I decided the system was production ready, I stopped snort, then
archived all the alerts (moved to a second system using the ACID archive
feature).  When the alert database was empty, I switched back to sensor
ID 1 and restarted snort.  Every since then I've been getting random
duplicate warnings, on just a small portion of the alert IDs.

This confused me at first because there were should have been no alerts
in the alert DB (though I did not check how thorough the ACID
archive-move function is), but I was willing to live with the percentage
of duplicate alert warnings I was getting.

Now, however, I am well beyond the alert numbers I used on either the
original sensor ID of 1, or 2, or even 3 ... and they're still showing
up.  I don't have a solution either, but early next week I'm gonna start
digging through every alert DB table to see what might be causing this.

It was during the archive-move event I would have expected to see this
condition, with the result of ACID refusing to move some alerts.  Nope. 
Nada.  Oddly enough, I never saw a one.


This message (including any attachments) contains confidential 
information intended for a specific individual and purpose, 
and is protected by law.  If you are not the intended recipient,
you should delete this message and are hereby notified that any 
disclosure,copying, or distribution of this message, or the taking 
of any action based on it, is strictly prohibited.



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: