[Snort-users] Mysql errors [plus possible fix?]
Jason.Haar at ...294...
Sun Nov 5 20:39:25 EST 2000
Busy day for errors here today! ;-)
I'm just starting to see these in my snort logs:
Nov 6 13:37:58 crom snort: log_database: mysql_error: Duplicate
entry '1-235' for key 1
Looking into it, I see that the following are showing up in the MySQL logs
INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1', '235', 'IIS -
Possible Attempt at NT WINS.EXE 100% CPU Utilization', '2000-11-06
There is already a record for 1-235 - so that certainly makes sense - what
doesn't make sense is that I haven't seen that error until today.
Looks to me like I'm getting simultaneous hits of the same "exploit", and
snort manually incrementing cid isn't keeping up with reality...
As the event table is "PRIMARY KEY (sid,cid)", why is snort manually
updating cid? Wouldn't it be better to mark cid as auto_increment and let
MySQL worry about such things? You could allow MySQL to generate the cid,
then do a LAST_INSERT_ID() to callback the new cid for future calls to other
Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417
More information about the Snort-users