[Snort-devel] Bug in ACID? archive problem: "Ignored XXX Duplicate Events" on archive

Mark Vevers mark at ...1121...
Tue Sep 3 07:59:08 EDT 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday 30 Aug 2002 20:03, Michael Cloppert wrote:
> The problem:
> ============
> When I select "Archive Events (move)" or "Archive Events (copy)", ACID
> returns "Ignored XXX Duplicate Events", where XXX=<number of events
> selected for archival> on a number of occasions.  These events *do not*
> already exist in the archive database, and I *do* have acid_conf.php
> configured properly to archive to "snort_archive" as opposed to the default
> database "snort". I've put ACID in debug mode, and I don't see any
> discernable errors.
If you delete all the events from the database for a particular sensor the cid
gets reset back to 1 and hence you get these problems occuring 

- From the soure code: the cid is incremented from the last entry for that sensor:
(line 243 from spo_database.c - 1.8.6)
  snprintf(select1, MAX_QUERY_LENGTH,
                     "SELECT max(cid) FROM event WHERE sid = '%u'", data->shared->sid);
  data->shared->cid = Select(select1,data);
        ++(data->shared->cid);

If there are no events MySQL returns NULL which gets interpreted as 0 and incremented to
1 hence you can get apparently duplicate events which aren't really.   The (sid,cid) pair
should be unique - just make sure you don't move or delete all the events for particular
sensor in your active db.

Mark

- -- 
Mark Vevers.    mark at ...1121... / mark at ...1209...
Principal Internet Engineer, Internet for Learning,
Research Machines Plc (AS5503)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9dM4tWLU9HLCPPKMRAt2kAJ9lZv2DstyaBWD01cAk6yilIX5VegCfR+bo
LcPFLaZ7apsdAOrvS+AOHV4=
=Ef9m
-----END PGP SIGNATURE-----





More information about the Snort-devel mailing list