[Snort-devel] Barnyard2 DB error and it will not start
elof at ...969...
elof at ...969...
Fri Jul 10 08:14:40 EDT 2015
Yes, this is a confusing/misleading error message.
Since the cache sync is performed within a transaction, the duplicate
insert will never actually happen.
So, you seem to already have metadata populated in the DB, while the sync
tries to add more/other data to some reference.
Your problem might disappear if you run these commands, to find dupes and
DELETE FROM signature where sig_id NOT IN ( select min(dup.sig_id) from
signature dup group by sig_sid,sig_gid,sig_rev);
DELETE FROM reference_system where ref_system_id NOT IN ( select
min(dup.ref_system_id) from reference_system dup group by
DELETE FROM sig_class where sig_class_id NOT IN ( select
min(dup.sig_class_id) from sig_class dup group by sig_class_name);
DELETE FROM reference where ref_id NOT IN ( select min(dup.ref_id) from
reference dup group by ref_system_id,ref_tag);
...but I think not. I guess you don't have dupes, but conflicting data in
the DB vs what is in your new snort.conf rules.
So if the above don't work, I would reset the entire metadata system and
let by2 re-populate it from scratch.
Note: old events will no longer show correct references.
Here's an example for Postgres:
DELETE FROM public.reference; DELETE FROM public.sig_reference; DELETE
FROM public.signature; DELETE FROM public.sig_class; DELETE FROM
ALTER SEQUENCE public.sig_class_sig_class_id_seq RESTART WITH 1;
See my thread "Barnyard2 fatal error duplicate references, but there are
no duplicates" from thu, 1 Nov 2012.
On Tue, 7 Jul 2015, Avery Rozar wrote:
> I get this error when I try to start barnyard, what is the proper solution
> for this? If I run the SQL query I only get one result so I'm not sure what
> the issue may be.
> ERROR database: Query [SELECT ref_id FROM reference WHERE ref_system_id =
> '10' AND ref_tag = '27676';] returned more than one result
> [SystemCacheSynchronize()], Call to ReferencePopulateDatabase() failed
> [CacheSynchronize()]:, SystemCacheSyncronize() call failed.
> SQL Query on the database:
> csdashboard=# SELECT ref_id FROM reference WHERE ref_system_id = '10' AND
> ref_tag = '27676';
> (1 row)
More information about the Snort-devel