The last_cid field in the sensor table is needed to
avoid collisions between the running snort process and
pre-existing alerts in the database by providing a
starting point for snort. There is a "well-known" bug
in snort that keeps this from working properly. See:
Some projects, such as FLoP (and my patch included
within that bug) fix this deficiency and last_cid
BASE, however, messes this up by creating an Archive
database which snort doesn't know anything about. As a
result, even with a proper database client, alerts can
get put into the current alert database that cannot be
archived because of cid collision.
I made two quick patches to base functions to properly
maintain the last_cid in the database so the snort can
The first patch, which is to base_action.inc.php,
ensures that when an alert is moved into the Archive
database via the copy or move function that the
last_cid field is updated in Archive database.
The second patch, which is to base_cache.inc.php,
ensures that the last_cid for the database is set to
the greater of the current database MAX(cid) or the
archive database MAX(cid). This ensures that even if
you delete all the alerts from the current database
that you'll get the max value from the archive
database. This second patch also makes sure that the
archive database isn't the currently selected database
before attempting this update.
The patches to BASE 1.2.5 are attached. Please
consider them for includion in a future BASE release.