Network Security: Detailed info on [Snort-users] MySQL and ACID Question (Duplicate Key Entries)

Subject:	[Snort-users] MySQL and ACID Question (Duplicate Key Entries)
Date:	Tue, 26 Oct 2004 11:09:57 -0400

Regarding my previous questions on rule #s and how they are made up I have
discovered something and am wondering if someone else can confirm.  It seems
that the ACID MySQL Snort database does not store a Gen number for the rule
triggered. (IE the number that comes before the rule, example 1:512 where 1
is the Gen number).
 
Further investigation has also shown that there are multiple rules in the
database that have the same rule id but different gen ids.  However because
the database does not use the gen id it seems that these rules might be
overlapping.  My untested theory is that this is causing the duplicate key
error that some people are seeing.  I have scanned the archives and it seems
that it is some type of pre-processor in all cases.  Which happens to be the
rules that have the same sid's.  Some how when acid polls the snort database
or the snort database polls the acid database, I am not too sure how this
exactly works, it may be causing the problem.
 
If someone else with some DB knowledge and unified logging knowledge can
comment that would be great.  I use Mudpit and it seems the same problem
exists with barnyard.
 
The following are results from my environment. 
 
 
Error messages that I have gotten and their alerts in the database.

Database ERROR:Database ERROR:Duplicate entry '2-5417647' for key 1
 
#97-(2-5417647)        [snort] spp_stream4: Stealth Activity Detected     
 
Database ERROR:Database ERROR:Duplicate entry '4-956139' for key 1
 
#16-(4-956139)        [snort] spp_stream4: Stealth Activity Detected    
 
Database ERROR:Database ERROR:Duplicate entry '10-466021' for key 1
 
#8-(10-466021)        [snort] spp_stream4: Stealth Activity Detected     
 
Database ERROR:Database ERROR:Duplicate entry '2-5417752' for key 1
 
#61-(2-5417752)        [snort] spp_stream4: Stealth Activity Detected     
 
Database ERROR:Database ERROR:Duplicate entry '4-956160' for key 1
 
#1-(4-956160)        [snort] spp_stream4: Stealth Activity Detected    
 
Database ERROR:Database ERROR:Duplicate entry '10-466030' for key 1
 
#1-(10-466030)        [snort] spp_stream4: Stealth Activity Detected  
 
 
Database entries for snort id of 1:
 
mysql> select * from signature where sig_sid=1;
+--------+----------------------------------------+--------------+----------
----+---------+---------+
| sig_id | sig_name                               | sig_class_id |
sig_priority | sig_rev | sig_sid |
+--------+----------------------------------------+--------------+----------
----+---------+---------+
|     85 | spp_stream4: Stealth Activity Detected |            0 |
5 |       0 |       1 |
|    137 | spp_portscan2: Portscan detected!      |            0 |
0 |       0 |       1 |
|    151 | spp_conversation: Bad IP protocol!     |            0 |
5 |       0 |       1 |
|    509 | spp_bo: Back Orifice Traffic Detected  |            0 |
0 |       0 |       1 |
+--------+----------------------------------------+--------------+----------
----+---------+---------+
4 rows in set (0.00 sec)

 
 
 

Shawn Truax
Sr. Security Specialist
Corporate Security
155 University Ave.
Toronto, Ontario
M5H 3B7
(416)327-1107

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-users] MySQL and ACID Question (Duplicate Key Entries), Truax, Shawn (MBS) <= Re: [Snort-users] MySQL and ACID Question (Duplicate Key Entries), Botwick, Jason (Genworth, Contractor)

Previous by Date:	Re: [Snort-users] packet payload missing, Larry Wichman
Next by Date:	[Snort-users] increase packet size capture problem, Jeffrey Starin
Previous by Thread:	[Snort-users] packet payload missing, Larry Wichman
Next by Thread:	Re: [Snort-users] MySQL and ACID Question (Duplicate Key Entries), Botwick, Jason (Genworth, Contractor)
Indexes:	[Date] [Thread] [Top] [All Lists]