[Snort-users] Mysql errors [plus possible fix?]

Jed Pickel jed at ...153...
Sun Nov 5 21:33:14 EST 2000


> Busy day for errors here today! ;-)
> 
> I'm just starting to see these in my snort logs:
> 
> Nov  6 13:37:58 crom snort[15121]: log_database: mysql_error: Duplicate
>  entry '1-235' for key 1 
> 
> Looking into it, I see that the following are showing up in the MySQL logs
> 
>  INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1', '235', 'IIS -
> Possible Attempt at NT WINS.EXE 100% CPU Utilization', '2000-11-06
> 14:17:50+12');
> 
> There is already a record for 1-235 - so that certainly makes sense - what
> doesn't make sense is that I haven't seen that error until today.

Interesting. Can you reproduce this error? Has anyone else ever seen
this one? The only cause I can think of is a fatal error (perhaps
forcibly quitting with a cntrl-c or something) somewhere between
while(query) and FreeQueryNode(root).

    while(query)
    {
      Insert(query->val,data); 
      query = query->next;
    }

    FreeQueryNode(root); 

    data->cid++;

> As the event table is "PRIMARY KEY (sid,cid)", why is snort manually
> updating cid? Wouldn't it be better to mark cid as auto_increment and let
> MySQL worry about such things? You could allow MySQL to generate the cid,
> then do a LAST_INSERT_ID() to callback the new cid for future calls to other
> tables.

One of the early versions of this plugin worked like that. The problem
you run into is concurrency when you have multiple sensors logging to
the database. You can fix this with locking but taking that route
turned out to be fairly expensive comparative to the current model.

* Jed



More information about the Snort-users mailing list