[Snort-users] barnyard regular restart required

Matthew Babcock MBabcock at ...14532...
Mon Mar 9 10:20:15 EDT 2009


I am willing to bet it is. The Snort >> MySQL connection time out was a
big road block for me. It would manifest as Snort running, and not getting
events added to MySQL (and still showing via 'lsof- i' that Snort was
connected to MySQL.

There are two easy ways to prove this.

1 - Temporaly stop using Barnyard, and make Snort log to MySQL directly.
Make sure you have Snort enabled to log to MySQL (in debian the the
package name is snort-mysql, run sudo aptitude show snort, if there is an
'i' in-front of snort-mysql you already have it installed; otherwise you
can install it, use aptitude tho..) Let it run for a while and look for
those snort messages I mentioned "database has gone away" If you get them
and I suspect you will you know what the problems it.

If you compiled from source that changes things a bit.

2 - Even easier, enable the icmp-info.rules and use a system on your LAN
to continuously ping something on the internet. Make sure you get the ICMP
ECHO/PING alerts and see if it stops working again.

I made a signature that turned Nagios Traffic into an heartbeat/alert,
avoiding the problem.

for reference...
---------
sudo aptitude show snort-mysql |grep ersion && sudo aptitude show
mysql-server-5.0 |grep ersion
Version: 2.7.0-20.3
Version: 5.0.51a-24
-----------


Regards,
-- Matthew R. Babcock
CEO, Principal Consultant
A & R Technology Consulting - Providing solutions, not limitations -
MBabcock at ...14532...

> --On Monday, March 09, 2009 03:48:31 -0500 Ian Masters <ian at ...12163...>
> wrote:
>
>>
>> Thanks again for the reply.
>>
>>> Again I do not use Barnyard, but any chance you are using outputting
>>> from
>>> Barnyard to MySQL (did not catch it the first time but you must be if
>>> you
>>> are using base...)? More specifically MySQL Server 5, there is an issue
>>> where the connection to MySQL times out, and MySQL does nothing about
>>> it.
>>
>> I am indeed outputting from Barnyard to MySQL and my MySQL version is
>> indeed 5 (Sorry I didn't include this information to begin with)
>>
>>> With Snort logging straight to MySQL this manifests as Snort log
>>> messages
>>> like "snort[10778]: database: mysql_error: MySQL server has gone away "
>>>
>>> Not sure if Barnyard will log anything in this senario...
>>
>> I haven't come across anything useful like that yet.
>>
>>> I *believe* that if you run lsof -i it will still show that snort
>>> (barnyard in your case) is still connected to MySQL (even tho the
>>> connection is dead)
>>
>> lsof -i shows:
>> mysqld     4637   mysql   10u  IPv4    8513       TCP *:mysql (LISTEN)
>>
>> The machine is a test machine which gets very few alerts.
>>
>> Thanks for the ideas. It's given me a bit more to think about. I'm
>> surprised that it's not happening to other users too.
>>
>
> What makes you think it isn't?  Some of us are watching the thread
> wondering if
> someone has an answer.
>
> --
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> Check the headers before clicking on Reply.
>
>
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco,
> CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the
> Enterprise
> -Strategies to boost innovation and cut costs with open source
> participation
> -Receive a $600 discount off the registration fee with the source code:
> SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>






More information about the Snort-users mailing list