I'm not a contributing coder to this project, but I've also experienced the
same problem. It appears that the problem is created when logging is heavy
and the function AcidDbGetNextCid() doesn't lock the cid. This creates a
race condition as two requests can come in with the same cid and attempt to
update the database. A solution may be to get the cid, insert it into the
table, then update the table with the other info that matches the cid
returned.
A couple of other observations:
1) Why does the AcidDbGetSidId() query on the sig_name? I've got a problem
where the sig_name doesn't match for a rule I've put in local.rules. Each
time the rule is logged, it is logged as "Snort Alert[2:10000001:0]"
identifying my sig id in the rule. Even after changing the sign_name in the
signature table, this keeps occurring which might mean that sid->msg is
pointing to the wrong thing. It would seem like the function could select
where sig_rev=%u and sig_sid=%u to get a match else insert the new sig_sid
as currently coded.
2) extremely big payloads - like 3000 null byte Large ICMP Packet (sid 499)
- don't include a closing ') on the data_payload field when inserting into
the data table.
HTH make barnyard better :)
bill
|
