[Snort-users] Mysql errors [plus possible fix?]

Jason Haar Jason.Haar at ...294...
Sun Nov 5 20:39:25 EST 2000


Busy day for errors here today! ;-)


I'm just starting to see these in my snort logs:

Nov  6 13:37:58 crom snort[15121]: log_database: mysql_error: Duplicate
 entry '1-235' for key 1 

Looking into it, I see that the following are showing up in the MySQL logs

 INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1', '235', 'IIS -
Possible Attempt at NT WINS.EXE 100% CPU Utilization', '2000-11-06
14:17:50+12');


There is already a record for 1-235 - so that certainly makes sense - what
doesn't make sense is that I haven't seen that error until today.

Looks to me like I'm getting simultaneous hits of the same "exploit", and
snort manually incrementing cid isn't keeping up with reality...

As the event table is "PRIMARY KEY (sid,cid)", why is snort manually
updating cid? Wouldn't it be better to mark cid as auto_increment and let
MySQL worry about such things? You could allow MySQL to generate the cid,
then do a LAST_INSERT_ID() to callback the new cid for future calls to other
tables.


-- 
Cheers

Jason Haar

Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417



More information about the Snort-users mailing list