Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Bug in ACID? archive problem: "Ignored XXX Duplicate Events" on a rchive

From: "Cloppert, Michael" <Michael.Cloppert () 53 com>
Date: Thu, 29 Aug 2002 16:23:49 -0400
Background:
===========
I'm not sure if this is the correct forum for this sort of thing, but I've
tried the snort-users list and gotten virtually no feedback.  This is a VERY
big problem given the way our company has decided our IDS deployment is
going to work, so I am in dire need of some help before management decides
it's not worth the problems and ditches our Snort pilot project.

The problem:
============
When I select "Archive Events (move)" or "Archive Events (copy)", ACID
returns "Ignored XXX Duplicate Events", where XXX=<number of events selected
for archival> on a number of occasions.  These events *do not* already exist
in the archive database, and I *do* have acid_conf.php configured properly
to archive to "snort_archive" as opposed to the default database "snort".
I've put ACID in debug mode, and I don't see any discernable errors.

My data:
========
My first thought was database size.  I ran:
echo "show table status;" |mysql -u root -p snort
to see what my database tables looked like, but to be honest with you I
don't really know what I'm looking at.  The only thing I noticed that
*might* be a problem was that "Data_Free" for "acid_ag_alert" was 0.  Like I
said, I really don't know what most of that means, however.

My second thought was "screw ACID, I'll do the queries myself!"  I took a
particular event that was generating this error (sid 1, cid 6382), and ran:
"SELECT timestamp, ip_src, ip_dst, layer4_sport, layer4_dport, sig_name FROM
acid_event WHERE (acid_event.cid LIKE '6382');"
on both my snort and snort_archive databases.  My results were (apologies
for the wrapping):

database snort_archive:
mysql> SELECT timestamp, ip_src, layer4_sport, layer4_dport, sid, cid,
sig_name FROM acid_event WHERE (acid_event.cid LIKE '6382');
+---------------------+------------+--------------+--------------+-----+----
--+---------------------------------+
| timestamp           | ip_src     | layer4_sport | layer4_dport | sid | cid
| sig_name                        |
+---------------------+------------+--------------+--------------+-----+----
--+---------------------------------+
| 2002-07-29 05:42:58 | 2340570399 |         2440 |           80 |   1 |
6382 | WEB-IIS multiple decode attempt |
+---------------------+------------+--------------+--------------+-----+----
--+---------------------------------+
1 row in set (0.00 sec)

database snort:
mysql> SELECT timestamp, ip_src, layer4_sport, layer4_dport, sid, cid,
sig_name FROM acid_event WHERE (acid_event.cid LIKE '6382');
+---------------------+------------+--------------+--------------+-----+----
--+------------------------------------------+
| timestamp           | ip_src     | layer4_sport | layer4_dport | sid | cid
| sig_name                                 |
+---------------------+------------+--------------+--------------+-----+----
--+------------------------------------------+
| 2002-08-27 16:39:23 | 3265189952 |         3012 |           80 |   1 |
6382 | WEB-IIS view source via translate header |
+---------------------+------------+--------------+--------------+-----+----
--+------------------------------------------+
1 row in set (0.10 sec)

Aha!  The sid and cid are the same, but these are clearly two totally
different events, as evidenced by the other fields.  My suspicion is that
ACID uses the {sid,cid} combination as a unique identifier, and when it
tries to move this event from snort to snort_archive and sees the {sid,cid}
combination already there, it thinks it's a duplicate.  For some reason,
ACID is re-assigning this combination!  Either this needs to be prevented,
or ACID needs a new way of uniquely identifying events.  I could be totally
off-base here, but this is the best I can come up with.

I did some googling (of course) and found one or two other people with this
problem, but no resolutions.  If anyone can point me in the right direction
(or to a different forum), I would be GREATLY appreciative. 

The vitals:
===========
RHL 7.3
MySQL 3.23.49
ACID 0.9.6b21
Snort 1.8.7

Thanks in advance,
Mike Cloppert



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: