Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort 2.0.1 corrupting tables?

From: Erek Adams <erek () snort org>
Date: Wed, 6 Aug 2003 12:07:47 -0400 (EDT)
On Wed, 6 Aug 2003, Bryan Irvine wrote:


I have a central database server (postgresql) and 2 snort detectors that
log to it form 2 networks.  They both are loggin just fine except one of
them (the snort 2.0.1) returns tons and tons and tons of errors, and
usualy repeats the same errors.  For example:

Aug  6 08:20:25 knox3 snort: database: warning (SELECT sig_id FROM
signature WHERE sig_name = 'WEB-ATTACKS mail command attempt' AND
sig_rev = 4 AND sig_sid = 1367 ) returned more than one result
Aug  6 08:20:25 knox3 snort: database: warning (SELECT sig_id FROM
signature WHERE sig_name = 'WEB-ATTACKS mail command attempt' AND
sig_rev = 4 AND sig_sid = 1367 ) returned more than one result


I get similar messages for T/TCP, young teen, and a couple of others.
Those alerts _never_ get inserted into the DB.  I initially thought it
was just too busy (it got 120,000 inserts overnight last night), but it
seems to insert other records just fine.  I'm wondering if the other
snort is doing something funky.  It also might be related that I ahve
the same startup script on both machines, the 2.0.0 box starts quietly
and I don't see any output when I run the script, the 2.0.1 box scrolls
the regular startup output when started.


Ok, I'm going to take a guess on this:  Your DB output line has a
'sensorname=<foo>' in it.  Since you copied your scripts over (I'm
guessing as I said...), did you copy the config files?

And as for the output, I'll bet that the 2.0.0 box is using '-D' and the
2.0.1 box isn't.


This is driving me insane!! People are looking at pr0n and I can't catch
'em!


Ahhh...  The truth comes out!  You want thier logins to thier sites!  ;-)

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: