[Snort-devel] No logging to mysql in snort 2.4.x

Martin Olsson elof at ...969...
Fri Feb 3 06:08:09 EST 2006


Snort 2.4.3-build-27 stops logging to mysql after a few minutes or hours.

I have 50 sensors running 2.4.3-build-27 on FreeBSD and many of them 
randomly stop logging to the mysql-server for no apparent reason.

The sensors have all run snort 2.3.x for several months without any 
problems. The only change is the upgrade to 2.4 and a switch from common 
rules to VRT rules.

The problem:
Snort is working fine for a few minutes or hours, but then, all of a 
sudden, my syslog say:

Feb  3 14:45:55 sensor-86 snort[34380]: database: mysql_error: MySQL 
server has gone away SQL=BEGIN
Feb  3 14:45:55 sensor-86 snort[34380]: database: mysql_error: MySQL 
server has gone away
Feb  3 14:45:55 sensor-86 snort[34380]: database: mysql_error: MySQL 
server has gone away
Feb  3 14:45:55 sensor-86 snort[34380]: database: mysql_error: MySQL 
server has gone away SQL=INSERT INTO sig_class (sig_class_name) VALUES 
('protocol-command-decode')
Feb  3 14:45:55 sensor-86 snort[34380]: database: mysql_error: MySQL 
server has gone away
Feb  3 14:45:55 sensor-86 snort[34380]: database: unable to write 
classification
Feb  3 14:45:55 sensor-86 snort[34380]: database: mysql_error: MySQL 
server has gone away SQL=INSERT INTO signature 
(sig_name,sig_priority,sig_rev,sig_sid) VALUES ('NETBIOS SMB C$ unicode 
share access',3,10,2470)
Feb  3 14:45:55 sensor-86 snort[34380]: database: mysql_error: MySQL 
server has gone away
Feb  3 14:45:55 sensor-86 snort[34380]: database: Problem inserting a 
new signature 'NETBIOS SMB C$ unicode share access'
Feb  3 14:45:55 sensor-86 snort[34380]: database: mysql_error: MySQL 
server has gone away SQL=INSERT INTO event (sid,cid,signature,timestamp) 
VALUES ('9', '78', '0', '2006-02-03 14:45:54.754+001')
Feb  3 14:45:55 sensor-86 snort[34380]: database: mysql_error: MySQL 
server has gone away SQL=ROLLBACK

The errors are different, it is references, classifications or signatures 
that can't be written to the DB.

Now the *really* interesting thing is that the sensor doesn't even try to 
use the database!

I'm sniffing on my management ethernet interface and only see arp, icmp 
echo and udp/512 (syslog) traffic. Not a single tcp/3306 (mysql) packet is 
sent!

If I restart the snort it starts talking tcp/3306 as it should, but 19 
minutes later I get the syslog errors again and not a single tcp/3306 
packet is seen again.

The problem can be recreated in our test environment, but the time before 
failure is random, and which sensor(s) fail also seem random.


If I downgrade the snort back to 2.3.x everything is working.



I know that the recommendation is to use unified logging and barnyard 
instead of spo_database, so I don't need answers like that. :-)

My question is why snort 2.4 doesn't work when there's no problems with 2.3.


/Martin




More information about the Snort-devel mailing list