[Snort-users] duplicate entry in DB (not the ACID problem)

Briggs, Bruce Bruce.Briggs at ...13183...
Tue Mar 29 13:41:05 EST 2005


A reflection of the packet should be the result of a misconfiguration
someplace, as it is unexpected.
Normally some sort of routing confusion.
And you would expect some minor timestamp difference - maybe as much as
a few milliseconds - but it would not likely be a discernable difference
using tools such as ACID or BASE to display the timestamp.

I had a bunch of duplicates one time when I stupidly had 2 instances of
Snort running on the same sensor.
But you have already ruled that out as a possible cause.

Bruce

-----Original Message-----
From: Hin [mailto:hchlai at ...2792...] 
Sent: Tuesday, March 29, 2005 4:21 PM
To: Briggs, Bruce; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] duplicate entry in DB (not the ACID problem)

For curiosity... are there any benefits to forward the packets back out
onto the same ethernet segment? or is it a misconfiguration?
Also, I suppose a reflection of packets would result in a different
timestamp, wouldn't it?

Hin

"Briggs, Bruce" <Bruce.Briggs at ...13183...> wrote:

>Are they for the same sensor ID?
>If so, possibly something is reflecting these packets back out on your
>monitored Ethernet segment again.
>One way this could happen is from a router/routing switch which gets
>these packets forwarded in from some other device and then the router
>forwards those packets back out onto the same Ethernet segment.
>
>Bruce
>
>-----Original Message-----
>From: snort-users-admin at lists.sourceforge.net
>[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Hin
>Sent: Tuesday, March 29, 2005 1:17 PM
>To: snort-users at lists.sourceforge.net
>Subject: [Snort-users] duplicate entry in DB (not the ACID problem)
>
>This is really devastating. I have received multiple identicle entries
>of the same event in the DB. These identicle entries has the same pay
>load, same src/dest ip, exact same time etc. The only difference is the
>event ID. This is not the duplicate key entry error in ACID. I have
>about 90% of my alerts receiving multiple entries, and I can't find any
>common grounds among alerts receiving multiple entries vs unique entry.
>I have also make sure only 1 instance of Snort is running on my sensor.
>Any suggestion would be appreciated.
>
>Hin
>
>__________________________________________________________________
>Switch to Netscape Internet Service.
>As low as $9.95 a month -- Sign up today at
>http://isp.netscape.com/register
>
>Netscape. Just the Net You Need.
>
>New! Netscape Toolbar for Internet Explorer
>Search from anywhere on the Web and block those annoying pop-ups.
>Download now at http://channels.netscape.com/ns/search/install.jsp
>
>
>-------------------------------------------------------
>SF email is sponsored by - The IT Product Guide
>Read honest & candid reviews on hundreds of IT Products from real
users.
>Discover which products truly live up to the hype. Start reading now.
>http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>-------------------------------------------------------
>SF email is sponsored by - The IT Product Guide
>Read honest & candid reviews on hundreds of IT Products from real
users.
>Discover which products truly live up to the hype. Start reading now.
>http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

__________________________________________________________________
Switch to Netscape Internet Service.
As low as $9.95 a month -- Sign up today at
http://isp.netscape.com/register

Netscape. Just the Net You Need.

New! Netscape Toolbar for Internet Explorer
Search from anywhere on the Web and block those annoying pop-ups.
Download now at http://channels.netscape.com/ns/search/install.jsp




More information about the Snort-users mailing list