Re: Snort duplicate signatures in table

[Dirk Geschke <Dirk_Geschke () genua de>]

Hi Vladimir,

> > Then you should be able to verify that one of the signature is only
> > related to one snort process. (Ok, after a restart this will mix and
> > all will use the first sig_id, but the second sig_id should only be
> > associated with one snort process...)
>
> I start only one sensor(on external interface) and see that signatures could
> not duplicates.
> This good.
> But how can I start snort with 2 sensors without duplicates signature in
> signature table?

since both instances of snort see the alert at the same time it is
very likely that they both will try to insert the same signature 
because the query fails in both instances.

There are two possible solutions:

 1. You use BPF filter to avoid that both instances see the same 
    traffic (why do you want to be alerted on both interfaces for
    the same packet?)

 2. You insert all signatures in the database before you start snort.
    -> In this case all queries for signatures will succeed.

For the latter one there is a perl script called rules.pl. This is part
of FLoP (http://www.geschke-online.de/FLoP/) but it does not insert the
alert messages of pre-processors.

Best regards

Dirk



-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0709&bid&3057&dat1642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users