[Snort-users] Barnyard2 reports database insert errors

Dave Corsello snort-users at ...15598...
Tue Nov 5 10:52:05 EST 2013


|interactive_timeout |is not configured in my.cnf or in the startup 
script.  I can't think of anything that could be killing mysqld.  Do you 
have anything specific in mind? The primary functions of this machine 
are MySQL server, Apache (for BASE) and SSH.  I can't correlate the 
timing of the errors to any processes (like the backup) that run on a 
schedule.

I failed to mention that I'm also getting fatal errors in 
dbProcessSignatureInformation from time to time:

Nov  4 06:53:28 snort1 barnyard2[24761]: INFO [dbProcessSignatureInformation()]: [Event: 1] with [gid: 1] [sid: 13990] [rev: 16] [classification: 12] [priority: 2] Signature Message -> "[SQL union select - possible sql injection attempt - GET parameter]" was not found in barnyard2 signature cache, this could mean its is the first time the signature is processed, and will be inserted in the database with the above information, this message should only be
printed once for each signature that is not present in the database. The new inserted signature will not have its information present in the sig_reference table, it should be present on restart if the information is present in the sid-msg.map file. You can allways update the message via a SQL query if you want it to be displayed correctly by your favorite interface
Nov  4 06:53:28 snort1 barnyard2[24761]: [dbProcessSignatureInformation()]: ERROR inserting new signature
Nov  4 06:53:28 snort1 barnyard2[24761]: FATAL ERROR: [dbProcessSignatureInformation()]: Failed, stoping processing

I've seen other discussions of this error, but have not done any 
debugging.  I don't know if this fatal error is related in any way to 
the insert errors that we've been discussing, but I'm including it in 
this thread in case you might find a correlation.  I got them several 
times about a year ago, and then three times over the past couple of 
weeks, twice on one sensor and once on the other, at random times.  The 
only changes that I made recently (besides changing the NIC type from 
Flexible to E1000 on the MySQL machine) were upgrades to Snort, daq and 
pulledpork to the latest versions.  I upgraded to ver 2.1.13 of 
barnyard2 months ago.

The insert errors that we had been discussing happen almost daily, and 
there was no change in frequency after the software updates that I just 
mentioned.

On 11/4/2013 12:25 PM, beenph wrote:
> On Mon, Nov 4, 2013 at 11:15 AM, Dave Corsello
> <snort-users at ...15598...> wrote:
>> Changing the adapter type to E1000 did get rid of the RX-ERRs, but I'm
>> still getting intermittent insert errors in barnyard2.
> I guess that some of your sessions could get timmed out if their
> innactive for a while so when by2 try to insert
> it will fail until it reconnect, and then succede because the it has a
> valid handle/connection.
>
> http://dev.mysql.com/doc/refman/5.5/en/server-system-variables.html#sysvar_interactive_timeout
>
> Also you might have a process that is killing your mysqld for a while
> invalidating current client session which
> could also be the cause.
>
>
>> Maybe VMware is
>> reassigning memory that hasn't been used in awhile?  Will try reserving
>> memory.
>>
> Doubt that alot.
>
> -elz

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20131105/7faccf0a/attachment.html>


More information about the Snort-users mailing list