[Snort-users] ACID Archive problems

Slighter, Tim tslighter at ...5174...
Thu Jul 25 13:44:04 EDT 2002

What is being used:
Redhat 7.2 system with most everything on it.  Involved components:
PHP 4.06
MySQL 2.20
Apache 1.3.20
OpenSSL 0.9.6b
Acid 0.9.6b13
Schema 105
Have successfully setup both the ACID and ARCHIVE database via mySQL and
have ran the create_mysql script and then gave the appropriate users the
necessary permissions (CREATE, INSERT, SELECT, DELETE, UPDATE) using grant
to the archive database.  Also have configured the acid_conf.php file to
input the correct entries for the user, password and db for ACID and
ARCHIVE.  I manually tested this out by creating an event ID and then
manually deleting it and this worked correctly..so permissions DO work and
therefore this possibility can be ruled out.  However, when running the web
front-end for ACID in the "ADMIN" mode, when I attempt to "move" events to
the archive, it will move just 3 of the same alerts or any number of
different alerts and then will no longer move any more events and will
generate an error about "duplicate events ignored" and "0 events moved -
ARCHIVE-MOVE failed or was not successful".
As I mentioned above, after verifying the correct user and password and
database are specified in the acid_conf.php file in the ACID directory as
well as the ARCHIVE directory and manually testing out the DELETE, INSERT
and UPDATE permission for the specified USER on the specified DATABASE, and
have determined that all of these DO function.  
So to be very specific about this problem:
Can select "3" of the same events such as SCAN SOCKS Proxy attempt and can
successfully "Archive Alerts - MOVE" and this can be verified by connecting
to the archive database and the moved alerts are there.  HOWEVER, if I
attempt to move even 1 more of the same type of alert, the move fails and
this error appears:
Added 0 alert to the Alert cache 
Ignored 1 duplicate alert(s) 
No alerts were selected or the ARCHIVE-move was not successful
PLEASE note that performing the Archive Alerts - Move with a "different
alert" such as "SCAN Aquid Proxy attempt" does work correctly up until there
are exactly "3" of these alerts in the archive database and then the archive
for these alerts no longer works.
Why does the move or copy archive bomb out when detecting duplicate events ?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020725/a4fe573c/attachment.html>

More information about the Snort-users mailing list