[Snort-users] barnyard regular restart required

Joel Esler eslerj at ...11827...
Mon Mar 9 10:11:04 EDT 2009


Snort doesn't re-establish connections unless you restart it, I.e.  if Snort
hasn't logged anything in awhile, Mysql time out the connection.  Barnyard
will reestablish the connection.
J

On Mon, Mar 9, 2009 at 9:50 AM, Paul Schmehl <pschmehl_lists at ...14358...>wrote:

> --On Monday, March 09, 2009 03:48:31 -0500 Ian Masters <ian at ...12163...>
> wrote:
>
> >
> > Thanks again for the reply.
> >
> >> Again I do not use Barnyard, but any chance you are using outputting
> from
> >> Barnyard to MySQL (did not catch it the first time but you must be if
> you
> >> are using base...)? More specifically MySQL Server 5, there is an issue
> >> where the connection to MySQL times out, and MySQL does nothing about
> it.
> >
> > I am indeed outputting from Barnyard to MySQL and my MySQL version is
> > indeed 5 (Sorry I didn't include this information to begin with)
> >
> >> With Snort logging straight to MySQL this manifests as Snort log
> messages
> >> like "snort[10778]: database: mysql_error: MySQL server has gone away "
> >>
> >> Not sure if Barnyard will log anything in this senario...
> >
> > I haven't come across anything useful like that yet.
> >
> >> I *believe* that if you run lsof -i it will still show that snort
> >> (barnyard in your case) is still connected to MySQL (even tho the
> >> connection is dead)
> >
> > lsof -i shows:
> > mysqld     4637   mysql   10u  IPv4    8513       TCP *:mysql (LISTEN)
> >
> > The machine is a test machine which gets very few alerts.
> >
> > Thanks for the ideas. It's given me a bit more to think about. I'm
> > surprised that it's not happening to other users too.
> >
>
> What makes you think it isn't?  Some of us are watching the thread
> wondering if
> someone has an answer.
>
> --
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> Check the headers before clicking on Reply.
>
>
>
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco,
> CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the
> Enterprise
> -Strategies to boost innovation and cut costs with open source
> participation
> -Receive a $600 discount off the registration fee with the source code:
> SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Joel Esler
T: 302-223-5974 (-) Gtalk: jesler at ...1935...
[m]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090309/8e1d644c/attachment.html>


More information about the Snort-users mailing list