[Snort-users] Duplicate key errors in ACID

John Creegan jcreegan at ...9729...
Tue Feb 10 08:18:05 EST 2004


I'm working on a problem I'm seeing in ACID, "Database ERROR:Database
ERROR:Duplicate entry '1-1' for key 1".  Here's what I've discovered:

A bit of background:
     Solaris 8 on a Sun SPARC
     Snort 2.0.4
     Barnyard 0.1.0 (Build 17)     
     MySQL 4.0.14     
     ACID 0.9.6b23

     1. I only see duplicates if snort outputs with the unified alert
facility:
(from my snort.conf file)
output alert_unified: filename snort_unified.alert, limit 128

     2. I do not see duplicate if snort outputs with the log facility:

output log_unified: filename snort_unified.log, limit 128

     3. In both cases, it's barnyard loading the DB.

     4. It's only one or the other.  I'm not using both at the same
time.

Note that the error message I mentioned above is a result from the very
first alert going into a clean DB, all tables other than application
tables are emptied.

I've been in the ACID PHP pages and made all the SELECT's in the
acid_cache page "DISTINCT", but no joy.  This was a stretch anyway.

I've read lots and lots of documentation on the differences between the
alert and log facilities.  My understanding is that both enter events
into the MySQL based on the rules applied, however the log facility will
also log to the DB the offending packet payload.

When using the log facility, I lose portscan alerts.  The number of
events I get drops dramatically.  I don't think I believe my current
understanding.

Can anyone explain why, when invoking of the same rulesets, I get
differing results in the DB?

Use alert, get more event data (including portscans), also get
duplicates.
Use log, no duplicates, fewer events reported.

Choices, choices...


This message (including any attachments) contains confidential 
information intended for a specific individual and purpose, 
and is protected by law.  If you are not the intended recipient,
you should delete this message and are hereby notified that any 
disclosure,copying, or distribution of this message, or the taking 
of any action based on it, is strictly prohibited.





More information about the Snort-users mailing list