[Snort-users] Barnyard2 database failures

Dave Corsello snort-users at ...15598...
Sat Dec 29 20:06:01 EST 2012


Hello,

I'm running two Snort inline boxes--one on my LAN and one on my DMZ.  
I'm getting one or two sets of barnyard2 errors per day on each sensor, 
similar to the example below, since upgrading to Snort 2.9.3.1.  I'm 
running Barnyard2 ver. 2.1.11 Build 317, and the OS is Ubuntu Server 
10.04.3.  MySQL is running on a separate Ubuntu box. This same setup was 
working fine on both sensors prior to upgrading Snort. Any ideas?

Thanks,
Dave

Example:

Dec 28 17:20:23 snort1 barnyard2[5580]: [Database()]: Insertion of Query 
[INSERT INTO event (sid,cid,signature,timestamp) VALUES (1, 2123, 682, 
'2012-12-28 17:20:18');] failed
Dec 28 17:20:23 snort1 barnyard2[5580]: WARNING database: [Database()] 
Failed transaction with current query transaction #012
Dec 28 17:20:23 snort1 barnyard2[5580]: WARNING database: Failed Query 
Position [1] Failed Query Body [INSERT INTO event 
(sid,cid,signature,timestamp) VALUES (1, 2123, 682, '2012-12-28 
17:20:18');]
Dec 28 17:20:23 snort1 barnyard2[5580]: WARNING database: Failed Query 
Position [2] Failed Query Body [INSERT INTO tcphdr (sid, cid, tcp_sport, 
tcp_dport, tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win, 
tcp_csum, tcp_urp) VALUES 
(1,2123,45371,80,1719521233,533625699,8,0,24,115,48796,0);]
Dec 28 17:20:23 snort1 barnyard2[5580]: WARNING database: Failed Query 
Position [3] Failed Query Body [INSERT INTO opt 
(sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) VALUES 
(1,2123,2,6,8,8,'0562CF7A899C1338');]
Dec 28 17:20:23 snort1 barnyard2[5580]: WARNING database: Failed Query 
Position [4] Failed Query Body [INSERT INTO iphdr (sid, cid, ip_src, 
ip_dst, ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl, 
ip_proto, ip_csum) VALUES 
(1,2123,1962855192,169100811,4,5,0,237,347,0,0,41,6,49018);]
Dec 28 17:20:23 snort1 barnyard2[5580]: WARNING database: Failed Query 
Position [5] Failed Query Body [INSERT INTO data (sid,cid,data_payload) 
VALUES 
(1,2123,'474554202F77303074773030742E61742E626C61636B686174732E726F6D616E69616E2E616E74692D7365633A2920485454502F312E310D0A4163636570743A202A2F2A0D0A4163636570742D4C616E67756167653A20656E2D75730D0A4163636570742D456E636F64696E673A20677A69702C206465666C6174650D0A557365722D4167656E743A205A6D45750D0A486F73743A2030302E30302E30302E30300D0A436F6E6E656374696F6E3A20436C6F73650D0A0D0A');] 

Dec 28 17:20:23 snort1 barnyard2[5580]: WARNING database [Database()]: 
End of failed transaction block

(I replaced the IP info in the data payload in the next to last warning 
with 00.00.00.00.)




More information about the Snort-users mailing list