[Snort-users] 1 alert but 2 events in database backend?

David Bianco bianco at ...5229...
Wed Mar 27 05:09:03 EST 2002


Vincent Chen writes:
 > 
 > Dear all,
 > 
 > I am running snort 1.8.4 on FreeBSD and using
 > postgresql as backend. Recently, I found that every
 > alert will generate 2 entries in event table. Is this
 > a bug or I should check my configuration? Version
 > 1.8.3 has the same problem on my system.
 > 
 > 

It probably means you have the SQL output set to send both logs and
alerts to the database.  Many events trigger as both, but you
generally only want to send alerts to the database.  This is a pretty
common misconfiguration.  Look for lines in snort.conf like:

output database: alert, postgresql, user=snort dbname=snort
output database: log, postgresql, user=snort dbname=snort

You probably have both uncommented.  Just comment out the one that
starts "output database: log" and you'll likely find the problem
has cleared up.

    David

-- 
David J. Bianco, GSEC		<bianco at ...5229...>
Thomas Jefferson National Accelerator Facility

     The views expressed herein are soley those of the author and
	    not those of SURA/Jefferson Lab or the US DOE.






More information about the Snort-users mailing list