RE: duplicate entry in DB (not the ACID problem)

["Briggs, Bruce" <Bruce.Briggs () suny edu>]

A reflection of the packet should be the result of a misconfiguration
someplace, as it is unexpected.
Normally some sort of routing confusion.
And you would expect some minor timestamp difference - maybe as much as
a few milliseconds - but it would not likely be a discernable difference
using tools such as ACID or BASE to display the timestamp.

I had a bunch of duplicates one time when I stupidly had 2 instances of
Snort running on the same sensor.
But you have already ruled that out as a possible cause.

Bruce

-----Original Message-----
From: Hin [mailto:hchlai () netscape net] 
Sent: Tuesday, March 29, 2005 4:21 PM
To: Briggs, Bruce; snort-users () lists sourceforge net
Subject: RE: [Snort-users] duplicate entry in DB (not the ACID problem)

For curiosity... are there any benefits to forward the packets back out
onto the same ethernet segment? or is it a misconfiguration?
Also, I suppose a reflection of packets would result in a different
timestamp, wouldn't it?

Hin

"Briggs, Bruce" <Bruce.Briggs () suny edu> wrote:

> Are they for the same sensor ID?
> If so, possibly something is reflecting these packets back out on your
> monitored Ethernet segment again.
> One way this could happen is from a router/routing switch which gets
> these packets forwarded in from some other device and then the router
> forwards those packets back out onto the same Ethernet segment.
>
> Bruce
>
> -----Original Message-----
> From: snort-users-admin () lists sourceforge net
> [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Hin
> Sent: Tuesday, March 29, 2005 1:17 PM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] duplicate entry in DB (not the ACID problem)
>
> This is really devastating. I have received multiple identicle entries
> of the same event in the DB. These identicle entries has the same pay
> load, same src/dest ip, exact same time etc. The only difference is the
> event ID. This is not the duplicate key entry error in ACID. I have
> about 90% of my alerts receiving multiple entries, and I can't find any
> common grounds among alerts receiving multiple entries vs unique entry.
> I have also make sure only 1 instance of Snort is running on my sensor.
> Any suggestion would be appreciated.
>
> Hin
>
> __________________________________________________________________
> Switch to Netscape Internet Service.
> As low as $9.95 a month -- Sign up today at
> http://isp.netscape.com/register
>
> Netscape. Just the Net You Need.
>
> New! Netscape Toolbar for Internet Explorer
> Search from anywhere on the Web and block those annoying pop-ups.
> Download now at http://channels.netscape.com/ns/search/install.jsp
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real
users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real
users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

__________________________________________________________________
Switch to Netscape Internet Service.
As low as $9.95 a month -- Sign up today at
http://isp.netscape.com/register

Netscape. Just the Net You Need.

New! Netscape Toolbar for Internet Explorer
Search from anywhere on the Web and block those annoying pop-ups.
Download now at http://channels.netscape.com/ns/search/install.jsp


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users