Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] the dreaded "duplicate alerts" with BASE archiving

from [Jon Hart] Network Security [Permanent Link]
Subject: [Snort-users] the dreaded "duplicate alerts" with BASE archiving
Date: Fri, 12 May 2006 13:43:59 -0400 
I know this has been beaten to death in various arenas in the past, but
I have yet to see an official solution.

The problem is that, when using BASE (and ACID, too), if you archive
alerts you will eventually get errors that say "Ignored XX duplicate
alerts".  Sometimes, the archive will be successful.  Other times,
a portion of the archive will succeed and the rest will fail.
Other times, the entire archive will fail.

There have been many potential solutions in the past:

1) Don't archive
2) Use barnyard (doesn't actually solve the problem)
3) Use FLoP 
4) Write some script or SQL to massage the database(s) back into shape
5) Modifications to the database output plug-in 


So far, the only concrete solution, it seems, is to use FLoP.  I have
not tried this yet as I have yet to see someone respond in the archives
saying "yes, FLoP is the greatest thing since slided bread and solves my
problems".


From my reading of things, this isn't actually a BASE problem.  Is that

actually the case?  

Does anyone have any solutions?

Thanks in advance, 

-jon


-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-users] the dreaded "duplicate alerts" with BASE archiving, Jon Hart <=
Previous by Date:  Re: [Snort-users] shellcode_ports, Leon Ward
Next by Date:  [Snort-users] snort sms and snort database, huda ahmed
Previous by Thread:  [Snort-users] shellcode_ports, Gentoo-Wally
Next by Thread:  [Snort-users] snort sms and snort database, huda ahmed
Indexes:  [Date] [Thread] [Top] [All Lists]