[Snort-users] Barnyard2 database failures

beenph beenph at ...11827...
Sat Dec 29 20:54:27 EST 2012


Hi dave,

In both of your barnyard2 configuration do you use
different information so that you have two sensor
in your sensor table?
Because if you use the same information, then it would
be seen as 1 sensor and you could hit a race condition
which could lead to this.

So i would make sure that you both barnyard2 instances have different
information,
and also make sure that you do not have an other barnayrd2 process in the
backgroud .
Mabey launched by a startup script etc.

This error would only happen if the transaction fail (duplicate key) or if
your database die,
i suspect you have an other process also inserting and this is why your
hitting this condition.

-elz



On Sat, Dec 29, 2012 at 8:06 PM, Dave Corsello <
snort-users at ...15598...> wrote:

> Hello,
>
> I'm running two Snort inline boxes--one on my LAN and one on my DMZ.
> I'm getting one or two sets of barnyard2 errors per day on each sensor,
> similar to the example below, since upgrading to Snort 2.9.3.1.  I'm
> running Barnyard2 ver. 2.1.11 Build 317, and the OS is Ubuntu Server
> 10.04.3.  MySQL is running on a separate Ubuntu box. This same setup was
> working fine on both sensors prior to upgrading Snort. Any ideas?
>
> Thanks,
> Dave
>
> Example:
>
> Dec 28 17:20:23 snort1 barnyard2[5580]: [Database()]: Insertion of Query
> [INSERT INTO event (sid,cid,signature,timestamp) VALUES (1, 2123, 682,
> '2012-12-28 17:20:18');] failed
> Dec 28 17:20:23 snort1 barnyard2[5580]: WARNING database: [Database()]
> Failed transaction with current query transaction #012
> Dec 28 17:20:23 snort1 barnyard2[5580]: WARNING database: Failed Query
> Position [1] Failed Query Body [INSERT INTO event
> (sid,cid,signature,timestamp) VALUES (1, 2123, 682, '2012-12-28
> 17:20:18');]
> Dec 28 17:20:23 snort1 barnyard2[5580]: WARNING database: Failed Query
> Position [2] Failed Query Body [INSERT INTO tcphdr (sid, cid, tcp_sport,
> tcp_dport, tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win,
> tcp_csum, tcp_urp) VALUES
> (1,2123,45371,80,1719521233,533625699,8,0,24,115,48796,0);]
> Dec 28 17:20:23 snort1 barnyard2[5580]: WARNING database: Failed Query
> Position [3] Failed Query Body [INSERT INTO opt
> (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) VALUES
> (1,2123,2,6,8,8,'0562CF7A899C1338');]
> Dec 28 17:20:23 snort1 barnyard2[5580]: WARNING database: Failed Query
> Position [4] Failed Query Body [INSERT INTO iphdr (sid, cid, ip_src,
> ip_dst, ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl,
> ip_proto, ip_csum) VALUES
> (1,2123,1962855192,169100811,4,5,0,237,347,0,0,41,6,49018);]
> Dec 28 17:20:23 snort1 barnyard2[5580]: WARNING database: Failed Query
> Position [5] Failed Query Body [INSERT INTO data (sid,cid,data_payload)
> VALUES
>
> (1,2123,'474554202F77303074773030742E61742E626C61636B686174732E726F6D616E69616E2E616E74692D7365633A2920485454502F312E310D0A4163636570743A202A2F2A0D0A4163636570742D4C616E67756167653A20656E2D75730D0A4163636570742D456E636F64696E673A20677A69702C206465666C6174650D0A557365722D4167656E743A205A6D45750D0A486F73743A2030302E30302E30302E30300D0A436F6E6E656374696F6E3A20436C6F73650D0A0D0A');]
>
> Dec 28 17:20:23 snort1 barnyard2[5580]: WARNING database [Database()]:
> End of failed transaction block
>
> (I replaced the IP info in the data payload in the next to last warning
> with 00.00.00.00.)
>
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. ON SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnmore_123012
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121229/2193f2d2/attachment.html>


More information about the Snort-users mailing list