Snort mailing list archives
RE: duplicate entry in DB (not the ACID problem)
From: hchlai () netscape net (Hin)
Date: Tue, 29 Mar 2005 16:20:48 -0500
For curiosity... are there any benefits to forward the packets back out onto the same ethernet segment? or is it a misconfiguration? Also, I suppose a reflection of packets would result in a different timestamp, wouldn't it? Hin "Briggs, Bruce" <Bruce.Briggs () suny edu> wrote:
Are they for the same sensor ID? If so, possibly something is reflecting these packets back out on your monitored Ethernet segment again. One way this could happen is from a router/routing switch which gets these packets forwarded in from some other device and then the router forwards those packets back out onto the same Ethernet segment. Bruce -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Hin Sent: Tuesday, March 29, 2005 1:17 PM To: snort-users () lists sourceforge net Subject: [Snort-users] duplicate entry in DB (not the ACID problem) This is really devastating. I have received multiple identicle entries of the same event in the DB. These identicle entries has the same pay load, same src/dest ip, exact same time etc. The only difference is the event ID. This is not the duplicate key entry error in ACID. I have about 90% of my alerts receiving multiple entries, and I can't find any common grounds among alerts receiving multiple entries vs unique entry. I have also make sure only 1 instance of Snort is running on my sensor. Any suggestion would be appreciated. Hin __________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_ide95&alloc_id396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
__________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- duplicate entry in DB (not the ACID problem) Hin (Mar 29)
- <Possible follow-ups>
- RE: duplicate entry in DB (not the ACID problem) Briggs, Bruce (Mar 29)
- RE: duplicate entry in DB (not the ACID problem) Hin (Mar 29)
- RE: duplicate entry in DB (not the ACID problem) Briggs, Bruce (Mar 29)