[Snort-users] restarting snort and archive move failed on base

hans rosa.schwein at ...12989...
Wed Apr 27 15:44:20 EDT 2005 

hi snorters 

for those, who are interested in the solution. 
or if you should have this problem, and dont wont to
delete all db-entries. 

i did update ( adding a constant value ) all values of 
all tables with column-name "cid" in the 
alert-db to a value higher than max in the archive-db. 

later i noticed, there is a table "sensor" with 
column "last_cid" this value is only updated, if 
snort terminates, i.e. with SIGTERM 
but not if snort crashs or SIGKILL 
maybe this is producing the situation. 

best regards 
hans 

-- 

On Thu, Apr 21, 2005 at 12:34:26AM +0200, hans wrote:
> 
> 
> hi all 
> 
> using snort and base 1.1.2 (zora) 
> 
> i moved all alerts from the alert database to
> the archive database. after it, i restarted snort, as
> i did made some changes. 
> snort did start writing alerts to the database again.
> 
> now i try to move this new alerts to the archive db again. 
> this failes with following error: 
> Ignored x duplicate alert(s)
> No alerts were selected or the Archive alert(s) (move) was not successful
> 
> the reason is simple. the new alerts have the same id 
> as some old, stored in the archive db.
> snort did start counting beginning with 1 again. 
> 
> what can i do ? 
> i could delete all entries in the archive. 
> 
> any other ideas ? 
> 
> i did restart snort more than one time. never had a problem. 
> imho snort reads the "last" cid, but if the db is emtpy, it
> starts at 1. 
> looking in the archive db too ( which archive - snort doesn't know it ) 
> or give an additional argument with the start number or calculate any
> other unique key could solve the problem. 
> 
> but all these would not solve my problem now. 
> 
> 
> best regards 
> hans 
> 
> -- 
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: New Crystal Reports XI.
> Version 11 adds new functionality designed to reduce time involved in
> creating, integrating, and deploying reporting solutions. Free runtime info,
> new features, or free trial, at: http://www.businessobjects.com/devxi/728
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list