[Snort-users] Barnyard2 reports database insert errors
snort-users at ...15598...
Tue Nov 5 10:52:05 EST 2013
|interactive_timeout |is not configured in my.cnf or in the startup
script. I can't think of anything that could be killing mysqld. Do you
have anything specific in mind? The primary functions of this machine
are MySQL server, Apache (for BASE) and SSH. I can't correlate the
timing of the errors to any processes (like the backup) that run on a
I failed to mention that I'm also getting fatal errors in
dbProcessSignatureInformation from time to time:
Nov 4 06:53:28 snort1 barnyard2: INFO [dbProcessSignatureInformation()]: [Event: 1] with [gid: 1] [sid: 13990] [rev: 16] [classification: 12] [priority: 2] Signature Message -> "[SQL union select - possible sql injection attempt - GET parameter]" was not found in barnyard2 signature cache, this could mean its is the first time the signature is processed, and will be inserted in the database with the above information, this message should only be
printed once for each signature that is not present in the database. The new inserted signature will not have its information present in the sig_reference table, it should be present on restart if the information is present in the sid-msg.map file. You can allways update the message via a SQL query if you want it to be displayed correctly by your favorite interface
Nov 4 06:53:28 snort1 barnyard2: [dbProcessSignatureInformation()]: ERROR inserting new signature
Nov 4 06:53:28 snort1 barnyard2: FATAL ERROR: [dbProcessSignatureInformation()]: Failed, stoping processing
I've seen other discussions of this error, but have not done any
debugging. I don't know if this fatal error is related in any way to
the insert errors that we've been discussing, but I'm including it in
this thread in case you might find a correlation. I got them several
times about a year ago, and then three times over the past couple of
weeks, twice on one sensor and once on the other, at random times. The
only changes that I made recently (besides changing the NIC type from
Flexible to E1000 on the MySQL machine) were upgrades to Snort, daq and
pulledpork to the latest versions. I upgraded to ver 2.1.13 of
barnyard2 months ago.
The insert errors that we had been discussing happen almost daily, and
there was no change in frequency after the software updates that I just
On 11/4/2013 12:25 PM, beenph wrote:
> On Mon, Nov 4, 2013 at 11:15 AM, Dave Corsello
> <snort-users at ...15598...> wrote:
>> Changing the adapter type to E1000 did get rid of the RX-ERRs, but I'm
>> still getting intermittent insert errors in barnyard2.
> I guess that some of your sessions could get timmed out if their
> innactive for a while so when by2 try to insert
> it will fail until it reconnect, and then succede because the it has a
> valid handle/connection.
> Also you might have a process that is killing your mysqld for a while
> invalidating current client session which
> could also be the cause.
>> Maybe VMware is
>> reassigning memory that hasn't been used in awhile? Will try reserving
> Doubt that alot.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users