After some testing, I decided to put Ari's snort/acid contrib on our main server and I am happy with the information that are provided (and I am still learning to better analyse the information and to understand it's usage).
Although it seems to be running and updating/counting new alerts, there are many messages in the system log like: May 8 02:42:14 tga1 snort-mysql: database: mysql_error: Duplicate entry '1-705' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1', '705', '1', '2002-05-08 02:42:13+12') May 8 02:42:14 tga1 snort-mysql: database: mysql_error: Duplicate entry '1-705' for key 1 SQL=INSERT INTO tcphdr (sid, cid, tcp_sport, tcp_dport, tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win, tcp_csum, tcp_urp) VALUES ('1','705','3356','80','2799049815','3843409774','5','0','24','17520','32423 ','0') May 8 02:42:14 tga1 snort-mysql: database: mysql_error: Duplicate entry '1-705' for key 1 SQL=INSERT INTO iphdr (sid, cid, ip_src, ip_dst, ip_ver,ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl, ip_proto, ip_csum) VALUES ('1','705','3530685798','3232236026','4','5','0','112','57427','0','0','112' ,'6','38841') May 8 02:42:14 tga1 snort-mysql: database: mysql_error: Duplicate entry '1-705' for key 1 SQL=INSERT INTO data (sid,cid,data_payload) VALUES ('1','705','474554202F736372697074732F726F6F742E6578653F2F632B64697220485454 502F312E300D0A486F73743A207777770D0A436F6E6E6E656374696F6E3A20636C6F73650D0A 0D0A') May 8 02:42:15 tga1 snort-mysql: database: mysql_error: Duplicate entry '1-706' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1', '706', '2', '2002-05-08 02:42:15+12') May 8 02:42:15 tga1 snort-mysql: database: mysql_error: Duplicate entry '1-706' for key 1 SQL=INSERT INTO tcphdr (sid, cid, tcp_sport, tcp_dport, tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win, tcp_csum, tcp_urp) VALUES ('1','706','3487','80','2805549709','3832388044','5','0','24','17520','18079 ','0') May 8 02:42:15 tga1 snort-mysql: database: mysql_error: Duplicate entry '1-706' for key 1 SQL=INSERT INTO iphdr (sid, cid, ip_src, ip_dst, ip_ver,ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl, ip_proto, ip_csum) VALUES ('1','706','3530685798','3232236026','4','5','0','120','57733','0','0','112' ,'6','38527') Has anyone else seen those in their logs? Regards, Michael Doerner -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org