[Snort-users] the dreaded "duplicate alerts" with BASE archiving

Jon Hart jhart at ...8039...
Thu May 25 04:56:01 EDT 2006


I know this has been beaten to death in various arenas in the past, but
I have yet to see an official solution.

The problem is that, when using BASE (and ACID, too), if you archive
alerts you will eventually get errors that say "Ignored XX duplicate
alerts".  Sometimes, the archive will be successful.  Other times,
a portion of the archive will succeed and the rest will fail.
Other times, the entire archive will fail.

There have been many potential solutions in the past:

1) Don't archive
2) Use barnyard (doesn't actually solve the problem)
3) Use FLoP 
4) Write some script or SQL to massage the database(s) back into shape
5) Modifications to the database output plug-in 


So far, the only concrete solution, it seems, is to use FLoP.  I have
not tried this yet as I have yet to see someone respond in the archives
saying "yes, FLoP is the greatest thing since slided bread and solves my
problems".



More information about the Snort-users mailing list