[Snort-users] U2 growing rapidly in size, by2 errors regarding event microsecond and revision [0]

Matt Condon matty_condon at ...125...
Thu Apr 20 23:40:22 EDT 2017

Hey list, turns out my aging snort setup is giving me problems, was not outputting to db so I checked the sensor. By2 was giving errors along the lines of:

"Current event with Event_id [32477] Event Second: 1.263736728 microsecond and signature id of [4165425152<tel:4165425152>] was logged with a revision of (0)"

Could not find that sigid anywhere in rules file, sidmsg.map or db. Event id did exist in db but was dated a long time ago.

In addition to this I had something like 100 u2 files - upon restarting snort it seemed u2 files were filling up within minutes, usually a u2 file will stay around a mb or so I thought and was parsed out by the by2.

I'm not sure if the two issues are related but I would guess they are.

Anyone experienced anything like this?

Sent from my iPhone

More information about the Snort-users mailing list