[Snort-users] snort: database: mysql_error: Duplicate entry

John Creegan jcreegan at ...9729...
Mon Feb 2 08:43:42 EST 2004


I did this, and checked the result of the query.  The query worked
fine.

However, I still have the same problem.  When I look at the last_cid
value in the sensor table I see that it is not updating at each new
alert.

The last sid-cid pair used in the events table is 1-406037.
The sid-last_cid value in the sensor table is 1-405780.

It looks like I'm trying to understand why the last_cid value is not
updating properly, and I'm not sure yet that "properly" means "at every
new alert added to the event table."

>>> "Hutchinson, Andrew" <andrew.hutchinson at ...759...> 01/30/04
03:22PM >>>
Try doing this:

1.> Stop snort, so that the cid stops incrementing.

2.> Run this query:

SELECT * FROM event ORDER BY cid DESC LIMIT 10;

3.> Take the top entry, and that's the largest cid issued.

4.> Run this update:

UPDATE sensor SET last_cid='<whatever the value was from #3>' WHERE
sid='<whatever your sensor id is>';

5.> Restart snort


Andrew Hutchinson - Network Security
Vanderbilt University Medical Center
(615) 936-2856


> -----Original Message-----
> From: Warner Joseph [mailto:Joseph.Warner at ...6725...] 
> Sent: Friday, January 30, 2004 9:43 AM
> To: 'chris.northrop at ...406...'; 'Adam Kaufman'
> Cc: snort-users at lists.sourceforge.net 
> Subject: RE: [Snort-users] snort: database: mysql_error: 
> Duplicate entry
> 
> 
> 
> Hi,
> 
> Since upgrading to snort-2.1.0 I have been getting the same 
> error.
> 
> >Either you copied over a config
> >file and did not change your node name 
> 
> What do you mean by this?  Are you referring to
> entries in the "database:" section of snort.conf?  If so,
> I've verified that the hostname I'm specifying is correct.
> 
> Also, ps -aux | grep snort shows only one instance of snort
> running on my server.
> 
> 
> 
> 
> -----Original Message-----
> From: Chris N [mailto:chris.northrop at ...406...] 
> Sent: Monday, January 26, 2004 4:13 PM
> To: 'Adam Kaufman'
> Cc: snort-users at lists.sourceforge.net 
> Subject: RE: [Snort-users] snort: database: mysql_error: 
> Duplicate entry
> 
> 
> You have two instances of Snort running.  Either you copied 
> over a config
> file and did not change your node name or you are running 
> snort twice on one
> machine..
> 
> Pull out your trusty "ps -ax|grep snort" and kill off the one 
> you don't
> need..
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net 
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Adam
> Kaufman
> Sent: Tuesday, January 20, 2004 12:28 PM
> To: Snort-users at lists.sourceforge.net 
> Subject: [Snort-users] snort: database: mysql_error: Duplicate entry
> 
> 
> I just updated the rules on one of my sensors and now I am getting
the
> following errors in syslog:
> 
> Jan 20 20:25:14 sensor snort: database: mysql_error: Duplicate entry
> '1-1491262' for key 1
> Jan 20 20:25:14 sensor SQL=INSERT INTO event
> (sid,cid,signature,timestamp) VALUES ('1', '1491262', '14', 
> '2004-01-20
> 20:25:14+00')
> Jan 20 20:25:14 sensor snort: database: mysql_error: Duplicate entry
> '1-1491263' for key 1
> Jan 20 20:25:14 sensor SQL=INSERT INTO event
> (sid,cid,signature,timestamp) VALUES ('1', '1491263', '14', 
> '2004-01-20
> 20:25:14+00')
> Jan 20 20:25:15 sensor snort: database: mysql_error: Duplicate entry
> '1-1491264' for key 1
> Jan 20 20:25:15 sensor SQL=INSERT INTO event
> (sid,cid,signature,timestamp) VALUES ('1', '1491264', '496',
> '2004-01-20 20:25:15+00')
> Jan 20 20:25:15 sensor snort: database: mysql_error: Duplicate entry
> '1-1491265' for key 1
> Jan 20 20:25:15 sensor SQL=INSERT INTO event
> (sid,cid,signature,timestamp) VALUES ('1', '1491265', '491',
> '2004-01-20 20:25:15+00')
> Jan 20 20:25:15 sensor snort: database: mysql_error: Duplicate entry
> '1-1491266' for key 1
> Jan 20 20:25:15 sensor SQL=INSERT INTO event
> (sid,cid,signature,timestamp) VALUES ('1', '1491266', '491',
> '2004-01-20 20:25:15+00')
> Jan 20 20:25:17 sensor snort: database: mysql_error: Duplicate entry
> '1-1491267' for key 1
> Jan 20 20:25:17 sensor SQL=INSERT INTO event
> (sid,cid,signature,timestamp) VALUES ('1', '1491267', '17', 
> '2004-01-20
> 20:25:17+00')
> Jan 20 20:25:17 sensor snort: database: mysql_error: Duplicate entry
> '1-1491268' for key 1
> Jan 20 20:25:17 sensor SQL=INSERT INTO event
> (sid,cid,signature,timestamp) VALUES ('1', '1491268', '13', 
> '2004-01-20
> 20:25:17+00')
> Jan 20 20:25:18 sensor snort: database: mysql_error: Duplicate entry
> '1-1491269' for key 1
> Jan 20 20:25:18 sensor SQL=INSERT INTO event
> (sid,cid,signature,timestamp) VALUES ('1', '1491269', '7',
'2004-01-20
> 20:25:17+00')
> Jan 20 20:25:19 sensor snort: database: mysql_error: Duplicate entry
> '1-1491270' for key 1
> Jan 20 20:25:19 sensor SQL=INSERT INTO event
> (sid,cid,signature,timestamp) VALUES ('1', '1491270', '14', 
> '2004-01-20
> 20:25:19+00')
> 
> I've seen some other problems similar to this on the mailing list,
but
> no  solution.  Can someone please help me fix this.
> 
> Thanks,
> 
> -Adam
> 
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
> http://hotjobs.sweepstakes.yahoo.com/signingbonus 
> 
> 
> -------------------------------------------------------
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and Integration
> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> http://www.eclipsecon.org/osdn 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net 
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users 
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users 
> 
> 
> 
> -------------------------------------------------------
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and Integration
> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> http://www.eclipsecon.org/osdn 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net 
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users 
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users 
> 
> --------------------------------------------------------------
> -----------------
> This message and any included attachments are from Siemens 
> Medical Solutions 
> USA, Inc. and are intended only for the addressee(s).  
> The information contained herein may include trade secrets or 
> privileged or 
> otherwise confidential information.  Unauthorized review, 
> forwarding, printing, 
> copying, distributing, or using such information is strictly 
> prohibited and may 
> be unlawful.  If you received this message in error, or have 
> reason to believe 
> you are not authorized to receive it, please promptly delete 
> this message and 
> notify the sender by e-mail with a copy to 
> Central.SecurityOffice at ...10990... 
> 
> Thank you
> 
> 
> -------------------------------------------------------
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and Integration
> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> http://www.eclipsecon.org/osdn 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net 
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users 
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users 
> 


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn 
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net 
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


This message (including any attachments) contains confidential 
information intended for a specific individual and purpose, 
and is protected by law.  If you are not the intended recipient,
you should delete this message and are hereby notified that any 
disclosure,copying, or distribution of this message, or the taking 
of any action based on it, is strictly prohibited.





More information about the Snort-users mailing list