Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] restarting snort and archive move failed on base

from [hans] Network Security [Permanent Link]
Subject: Re: [Snort-users] restarting snort and archive move failed on base
Date: Thu, 28 Apr 2005 00:41:16 +0200 

hi snorters 

for those, who are interested in the solution. 
or if you should have this problem, and dont wont to
delete all db-entries. 

i did update ( adding a constant value ) all values of 
all tables with column-name "cid" in the 
alert-db to a value higher than max in the archive-db. 

later i noticed, there is a table "sensor" with 
column "last_cid" this value is only updated, if 
snort terminates, i.e. with SIGTERM 
but not if snort crashs or SIGKILL 
maybe this is producing the situation. 

best regards 
hans 

-- 

On Thu, Apr 21, 2005 at 12:34:26AM +0200, hans wrote:



hi all 

using snort and base 1.1.2 (zora) 

i moved all alerts from the alert database to
the archive database. after it, i restarted snort, as
i did made some changes. 
snort did start writing alerts to the database again.

now i try to move this new alerts to the archive db again. 
this failes with following error: 
Ignored x duplicate alert(s)
No alerts were selected or the Archive alert(s) (move) was not successful

the reason is simple. the new alerts have the same id 
as some old, stored in the archive db.
snort did start counting beginning with 1 again. 

what can i do ? 
i could delete all entries in the archive. 

any other ideas ? 

i did restart snort more than one time. never had a problem. 
imho snort reads the "last" cid, but if the db is emtpy, it
starts at 1. 
looking in the archive db too ( which archive - snort doesn't know it ) 
or give an additional argument with the start number or calculate any
other unique key could solve the problem. 

but all these would not solve my problem now. 


best regards 
hans 

-- 




-------------------------------------------------------
This SF.Net email is sponsored by: New Crystal Reports XI.
Version 11 adds new functionality designed to reduce time involved in
creating, integrating, and deploying reporting solutions. Free runtime info,
new features, or free trial, at: http://www.businessobjects.com/devxi/728
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
SF.Net email is sponsored by: Tell us your software development plans!
Take this survey and enter to win a one-year sub to SourceForge.net
Plus IDC's 2005 look-ahead and a copy of this survey
Click here to start!  http://www.idcswdc.com/cgi-bin/survey?id=105hix
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] snort 2.3.3 --enable-flexresp, hans
Next by Date:  [Snort-users] Snort 2.3.3 and mysql logging, Adam Kennedy
Previous by Thread:  [Snort-users] restarting snort and archive move failed on base, hans
Next by Thread:  RE: [Snort-users] My BASE did not have any alerts, Adam Kliarsky
Indexes:  [Date] [Thread] [Top] [All Lists]