the dreaded "duplicate alerts" with BASE archiving

[Jon Hart <jhart () spoofed org>]

I know this has been beaten to death in various arenas in the past, but
I have yet to see an official solution.

The problem is that, when using BASE (and ACID, too), if you archive
alerts you will eventually get errors that say "Ignored XX duplicate
alerts".  Sometimes, the archive will be successful.  Other times,
a portion of the archive will succeed and the rest will fail.
Other times, the entire archive will fail.

There have been many potential solutions in the past:

1) Don't archive
2) Use barnyard (doesn't actually solve the problem)
3) Use FLoP 
4) Write some script or SQL to massage the database(s) back into shape
5) Modifications to the database output plug-in 


So far, the only concrete solution, it seems, is to use FLoP.  I have
not tried this yet as I have yet to see someone respond in the archives
saying "yes, FLoP is the greatest thing since slided bread and solves my
problems".

> From my reading of things, this isn't actually a BASE problem.  Is that
actually the case?  

Does anyone have any solutions?

Thanks in advance, 

-jon


-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users