Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: database : mysql_error Duplicate entry again !!!!!!!!!!!!

From: hchlai () netscape net (Hugo Chun Hin Lai)
Date: Fri, 21 Jan 2005 10:20:25 -0500
The following is the response from a snort user. I had a similar problem before and the mod gets rid of it.

Hugo



This, or something similar, has been discussed before.  I don't have the original author or date, but I modified my 
"acid_cache.inc" file. Hope this helps!

*** acid_cache.inc.orig
--- acid_cache.inc
***************
*** 228,233 ****
--- 228,238 ----

   $update_sql = array(4);

+    if ( $db->acidGetDBVersion() >= 100 )
+       $schema_specific[3] = " (sig_name LIKE 'spp_%') ";
+    else
+       $schema_specific[3] = " (signature LIKE 'spp_%') ";
+
   /* TCP events */
   $update_sql[0] =
     "INSERT INTO acid_event (sid,cid,signature,timestamp,
***************
*** 243,249 ****
     ".$schema_specific[2]."
     INNER JOIN iphdr ON (event.sid=iphdr.sid AND event.cid=iphdr.cid)
     LEFT JOIN tcphdr ON (event.sid=tcphdr.sid AND event.cid=tcphdr.cid)
!     WHERE (event.sid = $sid AND event.cid > $cid) AND ip_proto = 6";
   /* UDP events */

   $update_sql[1] =
--- 248,255 ----
     ".$schema_specific[2]."
     INNER JOIN iphdr ON (event.sid=iphdr.sid AND event.cid=iphdr.cid)
     LEFT JOIN tcphdr ON (event.sid=tcphdr.sid AND event.cid=tcphdr.cid)
!     WHERE (event.sid = $sid AND event.cid > $cid) AND ip_proto = 6
!     AND ( NOT ".$schema_specific[3].") ";
!
    /* UDP events */

   $update_sql[1] =
***************
*** 278,287 ****
       WHERE (event.sid = $sid AND event.cid > $cid) and ip_proto = 1";

    /* IP events only */
-    if ( $db->acidGetDBVersion() >= 100 )
-       $schema_specific[3] = " (sig_name LIKE 'spp_%') ";
-    else
-       $schema_specific[3] = " (signature LIKE 'spp_%') ";

    $update_sql[3] =
      "INSERT INTO acid_event (sid,cid,signature,timestamp,
--- 285,290 ----




-----Original Message-----
From:   snort-users-admin () lists sourceforge net on behalf of Hugo Chun Hin Lai
Sent:   Tue 01/11/2005 11:17 AM
To: snort-users () lists sourceforge net
Cc:
Subject:    [Snort-users] Database ERROR:Database ERROR:Duplicate entry
I am running Snort with output mode "log_unified" and Barnyard with output mode "log_dump". I run into problem where 
ACID would give me a Database ERROR:

Database ERROR:Database ERROR:Duplicate entry '3-14750' for key 1
Database ERROR:Database ERROR:Duplicate entry '3-14860' for key 1
Database ERROR:Database ERROR:Duplicate entry '5-32213' for key 1

It is interesting that when I hit the reload button a couple of times, ACID will no longer give me the error message. 
However, when I come in the next morning, I would see the same error message but may be with a different "Duplicate 
entry" number. I have seen numerous posts claiming it's a problem with Barnyard where it doesn't update the gen-id 
properly. Does anybody has a solution for this? Many thanks!

Hugo



killemall <killemallit () gmail com> wrote:


hi People I have a "little" problem with icmps , when I ping something
in my network , snort tell me :

database: mysql_error: Duplicate entry '1-1855' for key 1
SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1',
'1855', '4', '2005-01-20 18:55:45.498+001')
database: mysql_error: Duplicate entry '1-1856' for key 1
SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1',
'1856', '1', '2005-01-20 18:55:46.504+001')
database: mysql_error: Duplicate entry '1-1857' for key 1
SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1',
'1857', '2', '2005-01-20 18:55:46.504+001')
database: mysql_error: Duplicate entry '1-1858' for key 1
SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1',
'1858', '3', '2005-01-20 18:55:46.504+001')
database: mysql_error: Duplicate entry '1-1859' for key 1
SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1',
'1859', '4', '2005-01-20 18:55:46.504+001')
database: mysql_error: Duplicate entry '1-1860' for key 1
SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1',
'1860', '1', '2005-01-20 18:55:47.408+001')
database: mysql_error: Duplicate entry '1-1861' for key 1
SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1',
'1861', '2', '2005-01-20 18:55:47.408+001')
database: mysql_error: Duplicate entry '1-1862' for key 1
SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1',
'1862', '3', '2005-01-20 18:55:47.408+001')
database: mysql_error: Duplicate entry '1-1863' for key 1
SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1',
'1863', '4', '2005-01-20 18:55:47.408+001')
database: mysql_error: Duplicate entry '1-1864' for key 1
SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1',
'1864', '1', '2005-01-20 18:55:48.411+001')
database: mysql_error: Duplicate entry '1-1865' for key 1
SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1',
'1865', '2', '2005-01-20 18:55:48.411+001')
database: mysql_error: Duplicate entry '1-1866' for key 1
SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1',
'1866', '3', '2005-01-20 18:55:48.411+001')
database: mysql_error: Duplicate entry '1-1867' for key 1
SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1',
'1867', '4', '2005-01-20 18:55:48.411+001')
database: mysql_error: Duplicate entry '1-1868' for key 1
SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1',
'1868', '1', '2005-01-20 18:55:49.411+001')
database: mysql_error: Duplicate entry '1-1869' for key 1
SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1',
'1869', '2', '2005-01-20 18:55:49.411+001')


but I don't undestand , there is only one session of snort working

ps -aux | grep snort  
respose me  

root     20691  5.8 43.2 55400 50744 ?       Ss   18:58   0:01 snort
-i eth1 -c /etc/snort/snort.conf -D


Some one can help me ?


-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



__________________________________________________________________
Switch to Netscape Internet Service.
As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register

Netscape. Just the Net You Need.

New! Netscape Toolbar for Internet Explorer
Search from anywhere on the Web and block those annoying pop-ups.
Download now at http://channels.netscape.com/ns/search/install.jsp


-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: