[Snort-users] ACID and duplicate alert

Roman Danyliw roman at ...438...
Thu Sep 5 17:15:06 EDT 2002


This error might be caused by the CID re-use problem.  The situation is
something as follows:

1.  Events are uniquely identified in the database by a (sid, cid) pair.  Lets
assume snort logs an event with a given (sid,cid).

2.  This event is now browsed by ACID, and moved to the archive database (and
purged from the active database).

3.  Snort will now reuse the previous cid (since it is no longer being used),
and log an event associated with it to the database.

4.  When you attempt to move this new event with the reused cid to the archive
database, ACID will first check whether the event is already there.  Sure
enough, the original event assigned the cid will be there.  Hence, it will look
like a duplicate event.

This behavior can be manually confirmed my logging into the live and archive
database and verifying that there are different events with the same (sid,cid)
pair.  

Snort v1.9 has been changed to prevent the reuse of CIDs.  This should eliminate
this duplicate problem.

Roman


On Thu, 5 Sep 2002 14:48:27 -0500, Todd Holloway <todd at ...4574...> wrote :

> I get this error only occasionally when I try to "move/copy" a alert(s) to the
archive.
> 
> ______________________________________________________________
> Ignored 1 duplicate alert(s)
> 
> No alerts were selected or the ARCHIVE-move was not successful
> 
> Added 0 alert(s) to the Alert cache
> ______________________________________________________________
> 
> 
> And in checking the archive, I don't see any such duplicate,
> and of course the alert is not "moved/copied" over.
> 
> Data:
> 
> Database: snort at ...274...    (schema version: 105)
> ACID v0.9.6b21
> snort-1.8.6
> 2.4.18-6mdkenterprise #1 SMP
> 
> 
> thanks
> todd
> 
> --
> [It] contains "vegetable stabilizer" which sounds ominous.  How unstable are
vegetables?
> 	
						Jeff Zahn
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: OSDN - Tired of that same old
> cell phone?  Get a new here for FREE!
> https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> 




More information about the Snort-users mailing list