Snort mailing list archives
Snort duplicate signatures in table
From: "Vladimir" <pvm () napravlenie ru>
Date: Wed, 19 Apr 2006 13:13:24 +0400
Hello everyone! I have the following snort installation: Mandrake 10.2 snort-2.4.4 with postgresql-8 and debug support libpcap-0.9.4 My firewall have 3 interfaces: 1)External (for example 52.1.1.X) 2)DMZ(52.1.2.64/26) 3)Internal (52.1.2.0/26) Snort listening only on External and DMZ interfaces. Snort must protect DMZ and Internal networks. I have the next snort.conf: var HOME_NET 52.1.2.0/25 var EXTERNAL_NET !$HOME_NET var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var SSH_PORTS 22 var HTTP_PORTS 80 var SHELLCODE_PORTS !80 Then some signature detected in packet which going from External to DMZ interface, the alert are duplicated in logs: Apr 18 19:10:25 gw1 snort[29246]: [1:1250:13] WEB-MISC Cisco IOS HTTP configuration attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} 24.15.192.185:2928 -> 52.1.2.80:80 Apr 18 19:10:25 gw1 snort[29259]: [1:1250:13] WEB-MISC Cisco IOS HTTP configuration attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} 24.15.192.185:2928 -> 52.1.2.80:80 Apr 18 19:10:58 gw1 snort[29246]: database: warning (SELECT sig_id FROM signature WHERE sig_name = 'WEB-MISC Cisco IOS HTTP configuration attempt' AND sig_rev = 13 AND sig_sid = 1250 ) returned more than one result Apr 18 19:10:58 gw1 snort[29259]: database: warning (SELECT sig_id FROM signature WHERE sig_name = 'WEB-MISC Cisco IOS HTTP configuration attempt' AND sig_rev = 13 AND sig_sid = 1250 ) returned more than one result This mean that packet going over 2 interfaces and on each snort detect suspicious traffic. Then snort execute 2 concurrent SELECT queries(1 by each snort process) to see does the signature exists in signature database. And then snort try to insert signature. I know that signature table does not have duplicated signatures but I don't know how to solve this problem. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort duplicate signatures in table Vladimir (Apr 19)
- Re: Snort duplicate signatures in table Dirk Geschke (Apr 19)
- RE: Snort duplicate signatures in table Vladimir (Apr 19)
- Re: Snort duplicate signatures in table Dirk Geschke (Apr 19)
- RE: Snort duplicate signatures in table Vladimir (Apr 19)
- Re: Snort duplicate signatures in table Dirk Geschke (Apr 19)
- RE: Snort duplicate signatures in table Vladimir (Apr 20)
- Re: Snort duplicate signatures in table Dirk Geschke (Apr 20)
- RE: Snort duplicate signatures in table Vladimir (Apr 21)
- Re: Snort duplicate signatures in table Dirk Geschke (Apr 21)
- RE: Snort duplicate signatures in table Vladimir (Apr 19)
- Re: Snort duplicate signatures in table Dirk Geschke (Apr 19)