[Snort-devel] ACID archive problem: "Ignored XXX Duplicate Events" on archive

Cloppert, Michael Michael.Cloppert at ...1554...
Thu Aug 29 17:29:02 EDT 2002


Background:
I'm not sure if this is the correct forum for this sort of thing, but I've
tried the snort-users list and gotten virtually no feedback.  This is a VERY
big problem given the way our company has decided our IDS deployment is
going to work, so I am in dire need of some help before management decides
it's not worth the problems and ditches our Snort pilot project.

The problem:
When I select "Archive Events (move)" or "Archive Events (copy)", ACID
returns "Ignored XXX Duplicate Events", where XXX=<number of events selected
for archival>.  These events *do not* already exist in the archive database,
and I *do* have acid_conf.php configured properly to archive to
"snort_archive" as opposed to the default database "snort".  I've put ACID
in debug mode, and I don't see any discernable errors.  I ran
echo "show table status;" |mysql -u root -p snort
to see what my database tables looked like, but to be honest with you I
don't really know what I'm looking at.  The only thing I noticed that
*might* be a problem was that "Data_Free" for "acid_ag_alert" was 0.  Like I
said, I really don't know what most of that means, however.

I did some googling (of course) and found one or two other people with this
problem, but no resolutions.  If anyone can point me in the right direction,
I would be GREATLY appreciative. 

The vitals:
RHL 7.3
MySQL 3.23.49
ACID 0.9.6b21
Snort 1.8.7

Thanks in advance,
Mike Cloppert





More information about the Snort-devel mailing list