Snort mailing list archives
Duplicate entries
From: "John Creegan" <jcreegan () questarweb com>
Date: Fri, 30 Jan 2004 13:44:41 -0600
I'm still running snort 2.0.4, and I'm getting a lot of the same messages too. When I first built snort it wanted the sensor ID of 1, which I ran with for about the 1st 100,000 alerts. Through various changes to environment, etc, I ended up with the sensor ID of 2, then 3, which I ran up to about 350,000 alerts. When I decided the system was production ready, I stopped snort, then archived all the alerts (moved to a second system using the ACID archive feature). When the alert database was empty, I switched back to sensor ID 1 and restarted snort. Every since then I've been getting random duplicate warnings, on just a small portion of the alert IDs. This confused me at first because there were should have been no alerts in the alert DB (though I did not check how thorough the ACID archive-move function is), but I was willing to live with the percentage of duplicate alert warnings I was getting. Now, however, I am well beyond the alert numbers I used on either the original sensor ID of 1, or 2, or even 3 ... and they're still showing up. I don't have a solution either, but early next week I'm gonna start digging through every alert DB table to see what might be causing this. It was during the archive-move event I would have expected to see this condition, with the result of ACID refusing to move some alerts. Nope. Nada. Oddly enough, I never saw a one. This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure,copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Duplicate entries John Creegan (Jan 30)