Snort mailing list archives
Re: ACID and duplicate alert
From: "Roman Danyliw" <roman () danyliw com>
Date: Thu, 5 Sep 2002 20:14:22 -0400 (EDT)
This error might be caused by the CID re-use problem. The situation is something as follows: 1. Events are uniquely identified in the database by a (sid, cid) pair. Lets assume snort logs an event with a given (sid,cid). 2. This event is now browsed by ACID, and moved to the archive database (and purged from the active database). 3. Snort will now reuse the previous cid (since it is no longer being used), and log an event associated with it to the database. 4. When you attempt to move this new event with the reused cid to the archive database, ACID will first check whether the event is already there. Sure enough, the original event assigned the cid will be there. Hence, it will look like a duplicate event. This behavior can be manually confirmed my logging into the live and archive database and verifying that there are different events with the same (sid,cid) pair. Snort v1.9 has been changed to prevent the reuse of CIDs. This should eliminate this duplicate problem. Roman On Thu, 5 Sep 2002 14:48:27 -0500, Todd Holloway <todd () duckland org> wrote :
I get this error only occasionally when I try to "move/copy" a alert(s) to the
archive.
______________________________________________________________ Ignored 1 duplicate alert(s) No alerts were selected or the ARCHIVE-move was not successful Added 0 alert(s) to the Alert cache ______________________________________________________________ And in checking the archive, I don't see any such duplicate, and of course the alert is not "moved/copied" over. Data: Database: snort@localhost (schema version: 105) ACID v0.9.6b21 snort-1.8.6 2.4.18-6mdkenterprise #1 SMP thanks todd -- [It] contains "vegetable stabilizer" which sounds ominous. How unstable are
vegetables?
Jeff Zahn
------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ACID and duplicate alert Todd Holloway (Sep 05)
- <Possible follow-ups>
- RE: ACID and duplicate alert Slighter, Tim (Sep 05)
- Re: ACID and duplicate alert Roman Danyliw (Sep 05)
- Re: ACID and duplicate alert Todd Holloway (Sep 05)