[Snort-users] restarting snort and archive move failed on base

hans rosa.schwein at ...12989...
Wed Apr 20 15:34:54 EDT 2005


hi all 

using snort and base 1.1.2 (zora) 

i moved all alerts from the alert database to
the archive database. after it, i restarted snort, as
i did made some changes. 
snort did start writing alerts to the database again.

now i try to move this new alerts to the archive db again. 
this failes with following error: 
Ignored x duplicate alert(s)
No alerts were selected or the Archive alert(s) (move) was not successful

the reason is simple. the new alerts have the same id 
as some old, stored in the archive db.
snort did start counting beginning with 1 again. 

what can i do ? 
i could delete all entries in the archive. 

any other ideas ? 

i did restart snort more than one time. never had a problem. 
imho snort reads the "last" cid, but if the db is emtpy, it
starts at 1. 
looking in the archive db too ( which archive - snort doesn't know it ) 
or give an additional argument with the start number or calculate any
other unique key could solve the problem. 

but all these would not solve my problem now. 


best regards 
hans 

-- 






More information about the Snort-users mailing list