[Snort-users] database error duplicate entry 1-xxx for key 1
ecugradproj at ...131...
Sun Jul 18 15:13:07 EDT 2004
I have been "playing" with snort in a laboratory
environment. I am running nessus scans against my
network and watching snort reaction. Here is what I
have found about the above error:
All errors occurred with the following acid_event:
sid=1 (I am assuming sid=sensor id so it may not be
the same for every system); cid=xxxxx (xxxxx matching
the number after the dash in the "duplicate entry"
portion of the error message and the entry before
and/or after it); signature=55; sig_name=ssp_bo: Back
Orafice Traffic detected (key: 31337); sig_class_id=0;
sig_priority=null; timestamp= varies, time of the
alert; ip_src= source of attack?? (this is constant in
my case because I am testing and I know this to be the
op of the attack machine); ip_dest= target machine for
the attack...again, this is constant in my case due to
the testing environment and is known victim machine in
the testing; ip_prot=17; layer4sport= 32911, 33010,
33114, 33210, 33313, 33422, 33515, 33612 (not sure...I
would guess this to be source layer 4 port??);
layer4_dport=31337 (I would guess this to be the layer
4 destination port ??).
My guess is that this error indicates, well, a back
orafice attack (or potential of same) and that this
type of attack creates the error in the acid database
I am a newbie so these are only guesses, but I do know
that this attack signature very consistently generates
Do you Yahoo!?
Vote for the stars of Yahoo!'s next ad campaign!
More information about the Snort-users