[Snort-users] U2 growing rapidly in size, by2 errors regarding event microsecond and revision 
matty_condon at ...125...
Thu Apr 20 23:40:22 EDT 2017
Hey list, turns out my aging snort setup is giving me problems, was not outputting to db so I checked the sensor. By2 was giving errors along the lines of:
"Current event with Event_id  Event Second: 1.263736728 microsecond and signature id of [4165425152<tel:4165425152>] was logged with a revision of (0)"
Could not find that sigid anywhere in rules file, sidmsg.map or db. Event id did exist in db but was dated a long time ago.
In addition to this I had something like 100 u2 files - upon restarting snort it seemed u2 files were filling up within minutes, usually a u2 file will stay around a mb or so I thought and was parsed out by the by2.
I'm not sure if the two issues are related but I would guess they are.
Anyone experienced anything like this?
Sent from my iPhone
More information about the Snort-users