[Snort-users] Barnyard issue: Multiple entries in database for a single signature.

fatema bannatwala fatema.bannatwala at ...11827...
Tue Jan 10 08:27:12 EST 2017


Hi all,

So as the subject of this message says, there are multiple entries for some
rules getting created in the snort sql database, that is resulting in
alerts not getting logged into the database, maybe because of some
race-condition.

Hence, is there any fix/patch for this kind of situation? or anyone else is
experiencing the same?

For ex:

snort=> SELECT * FROM signature WHERE sig_sid = 40782;
 sig_id  |                            sig_name
| sig_class_id | sig_priority | sig_rev | sig_sid | sig_gid
---------+-----------------------------------------------------------------+--------------+--------------+---------+---------+---------
 1561695 | BLACKLIST User-Agent known malicious user-agent string - Venik
 |            1 |            1 |       1 |   40782 |       1
 1561696 | BLACKLIST User-Agent known malicious user-agent string - Venik
 |            1 |            1 |       1 |   40782 |       1
 1561700 | BLACKLIST User-Agent known malicious user-agent string - Venik
 |            1 |            1 |       1 |   40782 |       1
 1561701 | BLACKLIST User-Agent known malicious user-agent string - Venik
 |            1 |            1 |       1 |   40782 |       1
 1561704 | BLACKLIST User-Agent known malicious user-agent string - Venik
 |            1 |            1 |       1 |   40782 |       1
 1561697 | BLACKLIST User-Agent known malicious user-agent string - Venik
 |            1 |            1 |       1 |   40782 |       1
 1561702 | BLACKLIST User-Agent known malicious user-agent string - Venik
 |            1 |            1 |       1 |   40782 |       1
 1561703 | BLACKLIST User-Agent known malicious user-agent string - Venik
 |            1 |            1 |       1 |   40782 |       1


Any help would be appreciated.

Thanks,
Fatema.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170110/84271aad/attachment.html>


More information about the Snort-users mailing list