[Snort-users] Barnyard2 reports database insert errors

Dave Corsello snort-users at ...15598...
Fri Nov 1 23:11:43 EDT 2013


Hi elz,

I wonder if this problem could be related to the fact that this is all 
happening within ESXi.  My server has plenty of processing power and memory.

I also wonder if it could be related to my version of Linux or the the 
versions of prerequisite software?  I'm running Ubuntu 10.04.3. 
Upgrading is not an option.

Here are my answers to your questions:

1.  I'm using barnyard2 ver. 2.1.13 build 327.

2.  There's only one barnyard2 process and only one snort process 
running.  The timestamp in the error message is the same as the 
timestamp of the corresponding record in the database.  To me, this 
means that either:  1) there's just one successful insert, and barnyard2 
isn't getting notified that the insert was successful; or 2) the event 
is triggering multiple times during the span of one second and the cid 
isn't incrementing.  But 3 days ago, the very same signature triggered 
three times within the span of one second, and the cid incremented to 
allow insertion of all 3 alerts.

By elimination, I think the possibilities are that either: 1) MySQL is 
intermittently not sending back a status; 2) barnyard2 is intermittently 
not processing the MySQL status that it receives; or 3) sometimes the 
status message gets lost between the MySQL box and the Snort box.  
Number 3 might be supported by the fact that the NIC on my MySQL box 
shows in the neighborhood of 500 RX-ERR packets for every 3 million 
RX-OK packets daily.  My Snort box shows consistently 0 RX-ERR and 0 
TX-ERR.  But it would seem to me that RX-ERRs on the MySQL box would 
more likely result in botched inserts, not in status messages failing to 
transmit, right?  Unless the packets that are failing are ones that 
would indicate where MySQL should send a status message...  I wonder if 
this would cause MySQL to throw errors that appear in a log...  Nope, 
the MySQL error logs are empty.  Again, the RX-ERRs could be related to 
something peculiar within the overall environment.  I'll look into that 
when I have time.

3.  Here's the result of the query that you suggested:

+-------------------+--------+
| table_name        | engine |
+-------------------+--------+
| acid_ag           | MyISAM |
| acid_ag_alert     | MyISAM |
| acid_event        | MyISAM |
| acid_ip_cache     | MyISAM |
| agent_asset_names | InnoDB |
| aggregated_events | NULL   |
| asset_names       | InnoDB |
| base_roles        | MyISAM |
| base_users        | MyISAM |
| caches            | InnoDB |
| classifications   | InnoDB |
| daily_caches      | InnoDB |
| data              | InnoDB |
| delayed_jobs      | InnoDB |
| detail            | InnoDB |
| encoding          | InnoDB |
| event             | InnoDB |
| events_with_join  | NULL   |
| favorites         | InnoDB |
| icmphdr           | InnoDB |
| iphdr             | InnoDB |
| lookups           | InnoDB |
| notes             | InnoDB |
| notifications     | InnoDB |
| opt               | InnoDB |
| reference         | InnoDB |
| reference_system  | InnoDB |
| schema            | InnoDB |
| search            | InnoDB |
| sensor            | InnoDB |
| settings          | InnoDB |
| severities        | InnoDB |
| sig_class         | InnoDB |
| sig_reference     | InnoDB |
| signature         | InnoDB |
| tcphdr            | InnoDB |
| udphdr            | InnoDB |
| users             | InnoDB |
+-------------------+--------+


On 11/1/2013 3:12 PM, beenph wrote:
> On Fri, Nov 1, 2013 at 11:58 AM, Dave Corsello
> <snort-users at ...15598...> wrote:
>> Folks,
>>
> Hi Dave,
>
>> I asked about this a long time ago, and just recently looked at the
>> problem again.  I'm not sure if it's a barnyard2 problem, a MySQL
>> problem, or a problem with some other component.
>>
>> I'm getting intermittent errors similar to the following:
>>
>> Nov 1 10:25:14 snort2 barnyard2[XXXXX]: [Database()]: Insertion of Query
>> [INSERT INTO event (sid,cid,signature,timestamp) VALUES (X, XXXXXX,
>> XXXXXX, '2013-11-01 10:25:09');] failed
>>
> 1. Which version of barnyard2 are you using?
> 2. If you say that the record is there, then its normal that you get
> this error because
>      you can't have a record with the same sid(sensor id),cid(incident
> id) inserted.
>
> Would it be possible that you might have two barnyard2 process using
> the same configuration and processing the same spool file logging to
> the same database?
> wrong startup script  for example.
>
> Which storage engine are you using with MySQL?
> Could you return the result of the following query:
>        SELECT table_name,engine FROM INFORMATION_SCHEMA.TABLES WHERE
> table_schema=DATABASE();
>
>
>
>> But when I check the database, the record is there.  So, either a status
>> message is not making it from MySQL to barnyard2, or barnyard2 is
>> dropping the ball somehow.  The database resides on another machine.
>> Traffic between the snort/barnyard2 machine and the MySQL machine is
>> open on port 3306.
>>
>> Any ideas?
>>
> -elz

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20131101/551406a2/attachment.html>


More information about the Snort-users mailing list