[Snort-users] Alerts showing twice.

Martin Roesch roesch at ...421...
Fri Apr 6 23:56:02 EDT 2001


I'm testing for this problem, stay tuned...

   -Marty

Mark Motley wrote:
> 
>  I had this same problem when I upgraded to the CVS version and recompiled,
> and I'm not sure why.  I'm using MySQL logging, and it was working fine
> before.
> 
> I solved it by remarking the "output database:log" statement and just using
> "output database:alert" (originally I had both listed, outputing to MySQL).
> 
> Hope this helps...
> 
> - MBM
> 
> -----Original Message-----
> From: Matthew Collins
> To: snort-users at lists.sourceforge.net
> Sent: 3/28/01 4:03 AM
> Subject: [Snort-users] Alerts showing twice.
> 
> ************************************************************************
> ****************
> This message and any attachments are confidential to the ordinary user
> of
> the e-mail address to which it was addressed and may also be privileged.
> If you are not the addressee you may not copy, forward, disclose or use
> any part of the message or its attachments and if you have received this
> message in error, please notify the sender immediately by return e-mail
> and
> delete it from your system.
> Internet communications cannot be guaranteed to be secure or error-free
> as information could be intercepted, corrupted, lost, arrive late or
> contain
> viruses. The sender therefore does not accept liability for any errors
> or
> omissions in the context of this message which arise as a result of
> Internet
> transmission.
> Northern Registrars Limited, Northern House, Woodsome Park, Fenay
> Bridge, Huddersfield. HD8 0LA.
> Tel: +44 (0) 1484 600900  Fax: +44 (0) 1484 600911
> For more information visit our web site:
> http://www.northernregistrars.co.uk
> ************************************************************************
> ****************
> 
> Apologies for ^^^ that, I can't turn it off.
> 
> For some reason, alerts are getting logged twice in my alert log. I
> don't know why. I'm running Snort 1.7 downloaded from the web site &
> compiled from source. On Linux 2.2.18.
> 
> I've checked my configuration files, and they look ok, I can't see
> duplicate rules. I'm using a modified version of the rule set on the web
> site.
> 
> Sample included. Any ideas please? My alert logs are big enough.
> 
> [**] ICMP Time-To-Live Exceeded in Transit [**]
> 03/28-11:00:04.937830 172.17.0.231 -> 62.254.170.29
> ICMP TTL:44 TOS:0x0 ID:2174 IpLen:20 DgmLen:56
> Type:11  Code:0  TTL EXCEEDED
> 
> [**] ICMP Time-To-Live Exceeded in Transit [**]
> 03/28-11:00:04.937830 172.17.0.231 -> 62.254.170.29
> ICMP TTL:44 TOS:0x0 ID:2174 IpLen:20 DgmLen:56
> Type:11  Code:0  TTL EXCEEDED
> 
> [**] ICMP Time-To-Live Exceeded in Transit [**]
> 03/28-11:00:08.215975 172.17.0.231 -> 62.254.170.29
> ICMP TTL:44 TOS:0x0 ID:2672 IpLen:20 DgmLen:56
> Type:11  Code:0  TTL EXCEEDED
> 
> [**] ICMP Time-To-Live Exceeded in Transit [**]
> 03/28-11:00:08.215975 172.17.0.231 -> 62.254.170.29
> ICMP TTL:44 TOS:0x0 ID:2672 IpLen:20 DgmLen:56
> Type:11  Code:0  TTL EXCEEDED
> 
> [**] ICMP Time-To-Live Exceeded in Transit [**]
> 03/28-11:00:09.302063 172.17.0.231 -> 62.254.170.29
> ICMP TTL:44 TOS:0x0 ID:2816 IpLen:20 DgmLen:56
> Type:11  Code:0  TTL EXCEEDED
> 
> [**] ICMP Time-To-Live Exceeded in Transit [**]
> 03/28-11:00:09.302063 172.17.0.231 -> 62.254.170.29
> ICMP TTL:44 TOS:0x0 ID:2816 IpLen:20 DgmLen:56
> Type:11  Code:0  TTL EXCEEDED
> 
> [**] ICMP Time-To-Live Exceeded in Transit [**]
> 03/28-11:00:11.397088 172.17.0.231 -> 62.254.170.29
> ICMP TTL:44 TOS:0x0 ID:3122 IpLen:20 DgmLen:56
> Type:11  Code:0  TTL EXCEEDED
> 
> [**] ICMP Time-To-Live Exceeded in Transit [**]
> 03/28-11:00:11.397088 172.17.0.231 -> 62.254.170.29
> ICMP TTL:44 TOS:0x0 ID:3122 IpLen:20 DgmLen:56
> Type:11  Code:0  TTL EXCEEDED
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list