[Snort-users] barnyard regular restart required
eslerj at ...11827...
Mon Mar 9 10:11:04 EDT 2009
Snort doesn't re-establish connections unless you restart it, I.e. if Snort
hasn't logged anything in awhile, Mysql time out the connection. Barnyard
will reestablish the connection.
On Mon, Mar 9, 2009 at 9:50 AM, Paul Schmehl <pschmehl_lists at ...14358...>wrote:
> --On Monday, March 09, 2009 03:48:31 -0500 Ian Masters <ian at ...12163...>
> > Thanks again for the reply.
> >> Again I do not use Barnyard, but any chance you are using outputting
> >> Barnyard to MySQL (did not catch it the first time but you must be if
> >> are using base...)? More specifically MySQL Server 5, there is an issue
> >> where the connection to MySQL times out, and MySQL does nothing about
> > I am indeed outputting from Barnyard to MySQL and my MySQL version is
> > indeed 5 (Sorry I didn't include this information to begin with)
> >> With Snort logging straight to MySQL this manifests as Snort log
> >> like "snort: database: mysql_error: MySQL server has gone away "
> >> Not sure if Barnyard will log anything in this senario...
> > I haven't come across anything useful like that yet.
> >> I *believe* that if you run lsof -i it will still show that snort
> >> (barnyard in your case) is still connected to MySQL (even tho the
> >> connection is dead)
> > lsof -i shows:
> > mysqld 4637 mysql 10u IPv4 8513 TCP *:mysql (LISTEN)
> > The machine is a test machine which gets very few alerts.
> > Thanks for the ideas. It's given me a bit more to think about. I'm
> > surprised that it's not happening to other users too.
> What makes you think it isn't? Some of us are watching the thread
> wondering if
> someone has an answer.
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> Check the headers before clicking on Reply.
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco,
> -OSBC tackles the biggest issue in open source: Open Sourcing the
> -Strategies to boost innovation and cut costs with open source
> -Receive a $600 discount off the registration fee with the source code:
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
T: 302-223-5974 (-) Gtalk: jesler at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users