[Snort-users] barnyard regular restart required

Matthew Babcock MBabcock at ...14532...
Tue Mar 10 18:16:24 EDT 2009


Looks like the MySQL connection time out to me..

Can Barnyard be run in batch mode against a .pcap? I would be willing to
bet that your problem would not manifest when run in batch mode (since it
would process the whole file at once as opposed to waiting for subsequent
packets)

Unless I am mistaken, you can prove this by starting tcpdump on whatever
interface snort listens on, and restart snort and barnyard.

When you see the problem happen again, kill snort, barnyard and tcpdump
then make barnyard process the pcap file you just made.

If the problem is not related to the MySQL connection timing out, the
problem should persist. If batch processing that pcap with barnyard works
flawlessly. Let everyone on the list know you have confirmed the problem
with the MySQL connection timing out. ;) GL.

---------
snort logging the mysql connection timed out...
: database: mysql_error: MySQL server has gone away SQL=INSERT INTO event
(sid,cid,signature,timestamp) VALUES...
------------


Regards,
-- Matthew R. Babcock
CEO, Principal Consultant
A & R Technology Consulting - Providing solutions, not limitations -
MBabcock at ...14532...

> On Mon, 2009-03-09 at 13:50 +0000, Paul Schmehl wrote:
>> --On Monday, March 09, 2009 03:48:31 -0500 Ian Masters <ian at ...12163...>
>> wrote:
>>
>> > Thanks for the ideas. It's given me a bit more to think about. I'm
>> > surprised that it's not happening to other users too.
>> >
>>
>> What makes you think it isn't?  Some of us are watching the thread
>> wondering if
>> someone has an answer.
>>
>
> Ian,
>
> Check your logs for messages like these:
>
> Mar 10 12:14:30 getafix barnyard[5010]: FATAL ERROR: Expected Confirm
> 222668 and got: Failed to insert 222668: mysqlexec: handle already
> closed (dangling pointer)
>
> This is what kills my BY all the time - just today, as you can see....
>
> I haven't been able to find an answer for it.
>
> CP
> ------------------------------------------------------------------------------
> Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
> powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
> easily build your RIAs with Flex Builder, the Eclipse(TM)based development
> software that enables intelligent coding and step-through debugging.
> Download the free 60 day trial.
> http://p.sf.net/sfu/www-adobe-com_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list