[Snort-devel] Barnyard2 DB error and it will not start

elof at ...969... elof at ...969...
Fri Jul 10 08:14:40 EDT 2015


Hi Avery!

Yes, this is a confusing/misleading error message.

Since the cache sync is performed within a transaction, the duplicate 
insert will never actually happen.


So, you seem to already have metadata populated in the DB, while the sync 
tries to add more/other data to some reference.


Your problem might disappear if you run these commands, to find dupes and 
remove them:
DELETE FROM signature where sig_id NOT IN ( select min(dup.sig_id) from 
signature dup group by sig_sid,sig_gid,sig_rev);
DELETE FROM reference_system where ref_system_id NOT IN ( select 
min(dup.ref_system_id) from reference_system dup group by 
ref_system_name);
DELETE FROM sig_class where sig_class_id NOT IN ( select 
min(dup.sig_class_id) from sig_class dup group by sig_class_name);
DELETE FROM reference where ref_id NOT IN ( select min(dup.ref_id) from 
reference dup group by ref_system_id,ref_tag);


...but I think not. I guess you don't have dupes, but conflicting data in 
the DB vs what is in your new snort.conf rules.
So if the above don't work, I would reset the entire metadata system and 
let by2 re-populate it from scratch.
Note: old events will no longer show correct references.

Here's an example for Postgres:
DELETE FROM public.reference; DELETE FROM public.sig_reference; DELETE 
FROM public.signature; DELETE FROM public.sig_class; DELETE FROM 
public.reference_system;
ALTER SEQUENCE public.sig_class_sig_class_id_seq RESTART WITH 1;




See my thread "Barnyard2 fatal error duplicate references, but there are 
no duplicates" from thu, 1 Nov 2012.

/Elof


On Tue, 7 Jul 2015, Avery Rozar wrote:

> I get this error when I try to start barnyard, what is the proper solution
> for this? If I run the SQL query I only get one result so I'm not sure what
> the issue may be.
>
>
>
> ERROR database: Query [SELECT ref_id FROM reference WHERE ref_system_id =
> '10' AND ref_tag = '27676';] returned more than one result
>
> [SystemCacheSynchronize()], Call to ReferencePopulateDatabase() failed
>
> [CacheSynchronize()]:, SystemCacheSyncronize() call failed.
>
>
>
> SQL Query on the database:
>
> csdashboard=# SELECT ref_id FROM reference WHERE ref_system_id = '10' AND
> ref_tag = '27676';
>
> ref_id
>
> --------
>
>  26976
>
> (1 row)
>




More information about the Snort-devel mailing list