[Snort-devel] Bug? Problem inserting a new signature

Piotr Woliński pwolinski at ...2470...
Thu Apr 8 01:50:01 EDT 2004


snort-2.1.0 (running 2 instances, listening on 2 interfaces)
acid-0.9.6b23
postgresql 7.4.2

I see somethig strange in logs:

warning (SELECT sig_id   FROM signature  WHERE sig_name = 'ICMP PING 
NMAP'    AND sig_rev = 1    AND sig_sid = 469 ) returned more than one 
result
warning (SELECT sig_id   FROM signature  WHERE sig_name = 'ICMP PING 
NMAP'    AND sig_rev = 1    AND sig_sid = 469 ) returned more than one 
result
Problem inserting a new signature 'ICMP PING NMAP'
warning (SELECT ref_id   FROM reference  WHERE ref_system_id = 3    AND 
ref_tag = '162') returned more than one result
warning (SELECT ref_id   FROM reference  WHERE ref_system_id = 3    AND 
ref_tag = '162') returned more than one result
Unable to insert the alert reference into the DB
postgresql_error: ERROR:  duplicate key violates unique constraint 
"sig_reference_pkey"
postgresql_error: ERROR:  current transaction is aborted, commands 
ignored until end of transaction block

I do some investigation in psql:

snort=# select sig_name, count(*) as a from signature
snort-# group by sig_name having count(*)>1;
              sig_name              | a
-----------------------------------+---
  ICMP PING NMAP                    | 3
  SHELLCODE x86 NOOP                | 2
  WEB-MISC http directory traversal | 2

I supose multiple sig_name is not allowed.
I try to fix it, but i can't see any foreign keys...
I don't want to break something.
Could you help me?

BTW. Why db doesn't have some unique constransts and foreing key?
Is it problem with poor performance?

How to avoid these problems in future?
Greetings
-- 
_____________________________________________________
Piotr Woliński                       Dom Finansowy QS





More information about the Snort-devel mailing list