[Snort-users] ACID and duplicate alert

Todd Holloway todd at ...4574...
Thu Sep 5 17:17:10 EDT 2002


thanks for the information Ramon...I guess it's upgrade time :)

todd

On Thu, Sep 05, 2002 at 08:14:22PM -0400, Roman Danyliw wrote:
> This error might be caused by the CID re-use problem.  The situation is
> something as follows:
> 
> 1.  Events are uniquely identified in the database by a (sid, cid) pair.  Lets
> assume snort logs an event with a given (sid,cid).
> 
> 2.  This event is now browsed by ACID, and moved to the archive database (and
> purged from the active database).
> 
> 3.  Snort will now reuse the previous cid (since it is no longer being used),
> and log an event associated with it to the database.
> 
> 4.  When you attempt to move this new event with the reused cid to the archive
> database, ACID will first check whether the event is already there.  Sure
> enough, the original event assigned the cid will be there.  Hence, it will look
> like a duplicate event.
> 
> This behavior can be manually confirmed my logging into the live and archive
> database and verifying that there are different events with the same (sid,cid)
> pair.  
> 
> Snort v1.9 has been changed to prevent the reuse of CIDs.  This should eliminate
> this duplicate problem.
> 
> Roman
> 
> 
> On Thu, 5 Sep 2002 14:48:27 -0500, Todd Holloway <todd at ...4574...> wrote :
> 
> > I get this error only occasionally when I try to "move/copy" a alert(s) to the
> archive.
> > 
> > ______________________________________________________________
> > Ignored 1 duplicate alert(s)
> > 
> > No alerts were selected or the ARCHIVE-move was not successful
> > 
> > Added 0 alert(s) to the Alert cache
> > ______________________________________________________________
> > 
> > 
> > And in checking the archive, I don't see any such duplicate,
> > and of course the alert is not "moved/copied" over.
> > 
> > Data:
> > 
> > Database: snort at ...274...    (schema version: 105)
> > ACID v0.9.6b21
> > snort-1.8.6
> > 2.4.18-6mdkenterprise #1 SMP
> > 
> > 
> > thanks
> > todd
> > 
> > --
> > [It] contains "vegetable stabilizer" which sounds ominous.  How unstable are
> vegetables?
> > 	
> 						Jeff Zahn
> > 
> > 
> > -------------------------------------------------------
> > This sf.net email is sponsored by: OSDN - Tired of that same old
> > cell phone?  Get a new here for FREE!
> > https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> > 
> > 
> > 

-- 
[It] contains "vegetable stabilizer" which sounds ominous.  How unstable are vegetables?
								Jeff Zahn




More information about the Snort-users mailing list