[Snort-users] Duplicate alerts

John Creegan jcreegan at ...9729...
Wed Feb 4 07:54:10 EST 2004


I'm running snort 2.0.4 on a Sun SPARC running Solaris 8.  I'm also
running barnyard and ACID.

I'm seeing duplicate entry warnings for key 1 from ACID.  I've been
through the archives, and though there does not appear to be a fix
published, there is the statement that this is because there is more
than one process trying to send the same alert to the ACID DB.  So:

Snort is outputting to the unified alert file ONLY (I've been careful
with the config file), and barnyard is reading from that unified alert
file.

When snort is running and barnyard is not, no new alerts appear in
ACID, just like I'd expect, so I've eliminated the possibility that
snort is feeding the DB directly.

Start barnyard, start seeing duplicate warnings.

One thing I'm wondering about:  when I start barnyard, it tells me it's
loading dp_alert (which is fine), but it also says it's loading dp_log
and dp_stream_stat as well.  Then it says it's loading The Fast Alert
output plugin, the AlertSyslog, Log Dump, LogPcap, AcidDb, and alertCSV
plugins as well.  And this all happens BEFORE barnyard parses the
barnyard.conf file.

Since only the snort_unified.alert file exists, there's nothing for the
other data processors ro read, and I (for the moment) don't care about
any of the output plugins except AcidDB.

It seems not to matter whether or not, after parsing the barnyard.conf
file, barnyard shuts down unused data processors and output plugins if
there is only one file as a source of alert data.

I'm wondering whether anyone else has seen the same thing.  I don't
recall seeing duplicate warnings in ACID until I started using
barnyard.


This message (including any attachments) contains confidential 
information intended for a specific individual and purpose, 
and is protected by law.  If you are not the intended recipient,
you should delete this message and are hereby notified that any 
disclosure,copying, or distribution of this message, or the taking 
of any action based on it, is strictly prohibited.





More information about the Snort-users mailing list