Hi Vladimir,
Are this two results identical in all fields except sig_id?
Yes.
Maybe they
have different priorities or classifications?
No. They identical.
hmm, this is strange and should never ever have happened. (Although it
is not forbidden and except of the warnings it should work without
major problems.)
Are you using the database output plugin?
Normally first a check is done if the signature already exist. If so
then the sig_id is used for further processing. If not, then the rule
is inserted.
The only theoretically problem that may cause this kind of errors is
if there are two instances of snort alerting at the same time. So both
will recognize that the signature is not in the database and both will
start to insert it. But then there have to be two instances which are
seeing the same alerts at the same time. I think this is not very likely.
Are you using two snort processes with one database?
Ah, probably you have:
Snort listening only on External and DMZ interfaces. Snort must protect
DMZ and Internal networks.
Then you should be able to verify that one of the signature is only
related to one snort process. (Ok, after a restart this will mix and
all will use the first sig_id, but the second sig_id should only be
associated with one snort process...)
Best regards
Dirk
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
