Snort mailing list archives

Previous By Date Next
Previous By Thread Next

database error duplicate entry 1-xxx for key 1

From: Deb Rice <ecugradproj () yahoo com>
Date: Sun, 18 Jul 2004 15:12:21 -0700 (PDT)
Hello,

I have been "playing" with snort in a laboratory
environment. I am running nessus scans against my
network and watching snort reaction. Here is what I
have found about the above error:
All errors occurred with the following acid_event:
sid=1 (I am assuming sid=sensor id so it may not be
the same for every system); cid=xxxxx (xxxxx matching
the number after the dash in the "duplicate entry"
portion of the error message and the entry before
and/or after it); signature=55; sig_name=ssp_bo: Back
Orafice Traffic detected (key: 31337); sig_class_id=0;
sig_priority=null; timestamp= varies, time of the
alert; ip_src= source of attack?? (this is constant in
my case because I am testing and I know this to be the
op of the attack machine); ip_dest= target machine for
the attack...again, this is constant in my case due to
the testing environment and is known victim machine in
the testing; ip_prot=17; layer4sport= 32911, 33010,
33114, 33210, 33313, 33422, 33515, 33612 (not sure...I
would guess this to be source layer 4 port??);
layer4_dport=31337 (I would guess this to be the layer
4 destination port ??).

My guess is that this error indicates, well, a back
orafice attack (or potential of same) and that this
type of attack creates the error in the acid database
logging??

I am a newbie so these are only guesses, but I do know
that this attack signature very consistently generates
the error...

Best Regards,

Deb


                
__________________________________
Do you Yahoo!?
Vote for the stars of Yahoo!'s next ad campaign!
http://advision.webevents.yahoo.com/yahoo/votelifeengine/



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: