[Snort-users] Total Alert Count in snort_archive out of whack?

Joe Christy joe at ...7170...
Mon Oct 14 12:51:03 EDT 2002


Since upgrading to snort-1.9 from 1.8.7 10 days ago I've noticed the 
following strange behavior, even after upgrading to ACID 0.9.6b22  from 
v0.9.6b21 today. Sometimes when I archive alerts from the main snort db 
to the snort_archive db, the Total Number of Alerts in the acid web 
interface to snort_archive doesn't get incremented and there seems to be 
no way for search, etc. to retrieve those alerts which were added. 
Restarting my browser a/o web server has no effect (so much for the 
magical-thought solution). Even more peculiarly, if I then delete the 
archived alerts which are visible, the invisible alerts start to show up 
as added on the web front end and become retrievable.

Digging around in the db itself I find:

mysql> SELECT COUNT(*) FROM event;
+----------+
| COUNT(*) |
+----------+
|       60 |
+----------+

which accurately reflects how many alerts I have archived, but:

mysql> SELECT COUNT(*) FROM acid_event;
+----------+
| COUNT(*) |
+----------+
|       30 |
+----------+

which doesn't reflect reality, as I perceive it.

While I am almost totally ignorant of PHP, it appears that ACID is 
generating its "Total Number of Alerts" from acid_event, though.

So, I have several questions: 1) What is the relation between and the 
event table and the acid_event table? 2) How is the relationship 
maintained? 2) How can I avoid the problem with newly archived alerts 
not showing up? 3) How can I force the invisibly archived alerts to 
appear without deleting the visibly archived alerts?

ACID: v0.9.6b{21,22}
Browser(s): Mozilla-1.1,1.0.1
Web Server: apache-1.3.23-14 [RedHat 7.3 RPM]
PHP (invoked via CGI): 4.1.2-7.3.4 [RedHat 7.3 RPM]
MySQL: 3.23.49
schema: 106
prior actions: upgrade snort from 1.8.7 to 1.9.0, create a new 
snort_archive db, archive 30 alerts after handling them, attempt to 
archive 30 more.

The effect is quasi-replicable, i.e. the ratio 
visibly-newly-archived-alerts/newly-archived-alerts varies between 0/1 
and 1/1. Attached are the snort and snort_archive ACID pages and a mysql 
trace of moving 10 archive (slected by signature) from snort to 
snort_archive. NB SELECT COUNT(*) FROM snort_archive.event; increased by 
1 and

    Joe

-- 
======== Joe Christy ============================== joe at ...7170... =======
---- Voice:831/423-7151 --- Mobile:650/483-9123 --- FAX:831/469-0804 ---
__ If I can save you any time, give it to me, I'll keep it with mine. __
 www.eshu.net/CA.html  BF:38:C1:17:5F:F4:00:19:53:01:7B:4C:88:72:93:85 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021014/e29f8323/attachment.html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021014/e29f8323/attachment-0001.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: acid_archive-msysql-trace
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021014/e29f8323/attachment.ksh>


More information about the Snort-users mailing list