RE: snort: database: mysql_error: Duplicate entry

["John Creegan" <jcreegan () questarweb com>]

I did this, and checked the result of the query.  The query worked
fine.

However, I still have the same problem.  When I look at the last_cid
value in the sensor table I see that it is not updating at each new
alert.

The last sid-cid pair used in the events table is 1-406037.
The sid-last_cid value in the sensor table is 1-405780.

It looks like I'm trying to understand why the last_cid value is not
updating properly, and I'm not sure yet that "properly" means "at every
new alert added to the event table."

> > > "Hutchinson, Andrew" <andrew.hutchinson () Vanderbilt Edu> 01/30/04
03:22PM >>>
Try doing this:

1.> Stop snort, so that the cid stops incrementing.

2.> Run this query:

SELECT * FROM event ORDER BY cid DESC LIMIT 10;

3.> Take the top entry, and that's the largest cid issued.

4.> Run this update:

UPDATE sensor SET last_cid='<whatever the value was from #3>' WHERE
sid='<whatever your sensor id is>';

5.> Restart snort


Andrew Hutchinson - Network Security
Vanderbilt University Medical Center
(615) 936-2856


> -----Original Message-----
> From: Warner Joseph [mailto:Joseph.Warner () siemens com] 
> Sent: Friday, January 30, 2004 9:43 AM
> To: 'chris.northrop () po state ct us'; 'Adam Kaufman'
> Cc: snort-users () lists sourceforge net 
> Subject: RE: [Snort-users] snort: database: mysql_error: 
> Duplicate entry
>
>
>
> Hi,
>
> Since upgrading to snort-2.1.0 I have been getting the same 
> error.
>
> > Either you copied over a config
> > file and did not change your node name 
>
> What do you mean by this?  Are you referring to
> entries in the "database:" section of snort.conf?  If so,
> I've verified that the hostname I'm specifying is correct.
>
> Also, ps -aux | grep snort shows only one instance of snort
> running on my server.
>
>
>
>
> -----Original Message-----
> From: Chris N [mailto:chris.northrop () po state ct us] 
> Sent: Monday, January 26, 2004 4:13 PM
> To: 'Adam Kaufman'
> Cc: snort-users () lists sourceforge net 
> Subject: RE: [Snort-users] snort: database: mysql_error: 
> Duplicate entry
>
>
> You have two instances of Snort running.  Either you copied 
> over a config
> file and did not change your node name or you are running 
> snort twice on one
> machine..
>
> Pull out your trusty "ps -ax|grep snort" and kill off the one 
> you don't
> need..
>
> -----Original Message-----
> From: snort-users-admin () lists sourceforge net 
> [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Adam
> Kaufman
> Sent: Tuesday, January 20, 2004 12:28 PM
> To: Snort-users () lists sourceforge net 
> Subject: [Snort-users] snort: database: mysql_error: Duplicate entry
>
>
> I just updated the rules on one of my sensors and now I am getting
the
> following errors in syslog:
>
> Jan 20 20:25:14 sensor snort: database: mysql_error: Duplicate entry
> '1-1491262' for key 1
> Jan 20 20:25:14 sensor SQL=INSERT INTO event
> (sid,cid,signature,timestamp) VALUES ('1', '1491262', '14', 
> '2004-01-20
> 20:25:14+00')
> Jan 20 20:25:14 sensor snort: database: mysql_error: Duplicate entry
> '1-1491263' for key 1
> Jan 20 20:25:14 sensor SQL=INSERT INTO event
> (sid,cid,signature,timestamp) VALUES ('1', '1491263', '14', 
> '2004-01-20
> 20:25:14+00')
> Jan 20 20:25:15 sensor snort: database: mysql_error: Duplicate entry
> '1-1491264' for key 1
> Jan 20 20:25:15 sensor SQL=INSERT INTO event
> (sid,cid,signature,timestamp) VALUES ('1', '1491264', '496',
> '2004-01-20 20:25:15+00')
> Jan 20 20:25:15 sensor snort: database: mysql_error: Duplicate entry
> '1-1491265' for key 1
> Jan 20 20:25:15 sensor SQL=INSERT INTO event
> (sid,cid,signature,timestamp) VALUES ('1', '1491265', '491',
> '2004-01-20 20:25:15+00')
> Jan 20 20:25:15 sensor snort: database: mysql_error: Duplicate entry
> '1-1491266' for key 1
> Jan 20 20:25:15 sensor SQL=INSERT INTO event
> (sid,cid,signature,timestamp) VALUES ('1', '1491266', '491',
> '2004-01-20 20:25:15+00')
> Jan 20 20:25:17 sensor snort: database: mysql_error: Duplicate entry
> '1-1491267' for key 1
> Jan 20 20:25:17 sensor SQL=INSERT INTO event
> (sid,cid,signature,timestamp) VALUES ('1', '1491267', '17', 
> '2004-01-20
> 20:25:17+00')
> Jan 20 20:25:17 sensor snort: database: mysql_error: Duplicate entry
> '1-1491268' for key 1
> Jan 20 20:25:17 sensor SQL=INSERT INTO event
> (sid,cid,signature,timestamp) VALUES ('1', '1491268', '13', 
> '2004-01-20
> 20:25:17+00')
> Jan 20 20:25:18 sensor snort: database: mysql_error: Duplicate entry
> '1-1491269' for key 1
> Jan 20 20:25:18 sensor SQL=INSERT INTO event
> (sid,cid,signature,timestamp) VALUES ('1', '1491269', '7',
'2004-01-20
> 20:25:17+00')
> Jan 20 20:25:19 sensor snort: database: mysql_error: Duplicate entry
> '1-1491270' for key 1
> Jan 20 20:25:19 sensor SQL=INSERT INTO event
> (sid,cid,signature,timestamp) VALUES ('1', '1491270', '14', 
> '2004-01-20
> 20:25:19+00')
>
> I've seen some other problems similar to this on the mailing list,
but
> no  solution.  Can someone please help me fix this.
>
> Thanks,
>
> -Adam
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
> http://hotjobs.sweepstakes.yahoo.com/signingbonus 
>
>
> -------------------------------------------------------
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and Integration
> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> http://www.eclipsecon.org/osdn 
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net 
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users 
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users 
>
>
>
> -------------------------------------------------------
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and Integration
> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> http://www.eclipsecon.org/osdn 
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net 
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users 
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users 
>
> --------------------------------------------------------------
> -----------------
> This message and any included attachments are from Siemens 
> Medical Solutions 
> USA, Inc. and are intended only for the addressee(s).  
> The information contained herein may include trade secrets or 
> privileged or 
> otherwise confidential information.  Unauthorized review, 
> forwarding, printing, 
> copying, distributing, or using such information is strictly 
> prohibited and may 
> be unlawful.  If you received this message in error, or have 
> reason to believe 
> you are not authorized to receive it, please promptly delete 
> this message and 
> notify the sender by e-mail with a copy to 
> Central.SecurityOffice () shs siemens com 
>
> Thank you
>
>
> -------------------------------------------------------
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and Integration
> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> http://www.eclipsecon.org/osdn 
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net 
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users 
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users 


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net 
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


This message (including any attachments) contains confidential 
information intended for a specific individual and purpose, 
and is protected by law.  If you are not the intended recipient,
you should delete this message and are hereby notified that any 
disclosure,copying, or distribution of this message, or the taking 
of any action based on it, is strictly prohibited.



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users