[Snort-devel] No logging to mysql in snort 2.4.x

Eric Lauzon eric.lauzon at ...1967...
Fri Feb 3 07:42:26 EST 2006


Once again , you should not use spo_database anymore , look for spo_unified and barnyard

[spare it share of problems :) ]

-elz
 

> -----Original Message-----
> From: snort-devel-admin at lists.sourceforge.net 
> [mailto:snort-devel-admin at lists.sourceforge.net] On Behalf Of 
> Martin Olsson
> Sent: 3 février 2006 09:10
> To: bugs at ...835...
> Cc: snort-devel mailinglist
> Subject: [Snort-devel] No logging to mysql in snort 2.4.x
> 
> 
> Snort 2.4.3-build-27 stops logging to mysql after a few 
> minutes or hours.
> 
> I have 50 sensors running 2.4.3-build-27 on FreeBSD and many 
> of them randomly stop logging to the mysql-server for no 
> apparent reason.
> 
> The sensors have all run snort 2.3.x for several months 
> without any problems. The only change is the upgrade to 2.4 
> and a switch from common rules to VRT rules.
> 
> The problem:
> Snort is working fine for a few minutes or hours, but then, 
> all of a sudden, my syslog say:
> 
> Feb  3 14:45:55 sensor-86 snort[34380]: database: 
> mysql_error: MySQL server has gone away SQL=BEGIN Feb  3 
> 14:45:55 sensor-86 snort[34380]: database: mysql_error: MySQL 
> server has gone away Feb  3 14:45:55 sensor-86 snort[34380]: 
> database: mysql_error: MySQL server has gone away Feb  3 
> 14:45:55 sensor-86 snort[34380]: database: mysql_error: MySQL 
> server has gone away SQL=INSERT INTO sig_class (sig_class_name) VALUES
> ('protocol-command-decode')
> Feb  3 14:45:55 sensor-86 snort[34380]: database: 
> mysql_error: MySQL server has gone away Feb  3 14:45:55 
> sensor-86 snort[34380]: database: unable to write 
> classification Feb  3 14:45:55 sensor-86 snort[34380]: 
> database: mysql_error: MySQL server has gone away SQL=INSERT 
> INTO signature
> (sig_name,sig_priority,sig_rev,sig_sid) VALUES ('NETBIOS SMB 
> C$ unicode share access',3,10,2470) Feb  3 14:45:55 sensor-86 
> snort[34380]: database: mysql_error: MySQL server has gone 
> away Feb  3 14:45:55 sensor-86 snort[34380]: database: 
> Problem inserting a new signature 'NETBIOS SMB C$ unicode 
> share access'
> Feb  3 14:45:55 sensor-86 snort[34380]: database: 
> mysql_error: MySQL server has gone away SQL=INSERT INTO event 
> (sid,cid,signature,timestamp) VALUES ('9', '78', '0', 
> '2006-02-03 14:45:54.754+001') Feb  3 14:45:55 sensor-86 
> snort[34380]: database: mysql_error: MySQL server has gone 
> away SQL=ROLLBACK
> 
> The errors are different, it is references, classifications 
> or signatures that can't be written to the DB.
> 
> Now the *really* interesting thing is that the sensor doesn't 
> even try to use the database!
> 
> I'm sniffing on my management ethernet interface and only see 
> arp, icmp echo and udp/512 (syslog) traffic. Not a single 
> tcp/3306 (mysql) packet is sent!
> 
> If I restart the snort it starts talking tcp/3306 as it 
> should, but 19 minutes later I get the syslog errors again 
> and not a single tcp/3306 packet is seen again.
> 
> The problem can be recreated in our test environment, but the 
> time before failure is random, and which sensor(s) fail also 
> seem random.
> 
> 
> If I downgrade the snort back to 2.3.x everything is working.
> 
> 
> 
> I know that the recommendation is to use unified logging and barnyard 
> instead of spo_database, so I don't need answers like that. :-)
> 
> My question is why snort 2.4 doesn't work when there's no 
> problems with 2.3.
> 
> 
> /Martin
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep 
> through log files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  
> DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&
dat=121642
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
AVERTISSEMENT CONCERNANT LA CONFIDENTIALITÉ 

Le présent message est à l'usage exclusif du ou des destinataires mentionnés ci-dessus. Son contenu est confidentiel et peut être assujetti au secret professionnel. Si vous avez reçu le présent message par erreur, veuillez nous en aviser immédiatement et le détruire en vous abstenant d'en faire une copie, d'en divulguer le contenu ou d'y donner suite.

CONFIDENTIALITY NOTICE

This communication is intended for the exclusive use of the addressee identified above. Its content is confidential and may contain privileged information. If you have received this communication by error, please notify the sender and delete the message without copying or disclosing it.




More information about the Snort-devel mailing list