[Snort-users] Barnyard2 problems with reputation preproc rules

beenph beenph at ...11827...
Mon Feb 3 11:52:17 EST 2014


On Mon, Feb 3, 2014 at 10:17 AM, Dave Corsello
<snort-users at ...15598...> wrote:
> MySQL version 5.1.49
>

I would highly suggest upgrading in the near future.


> To the best of my recollection, I never ran ALTER TABLE to change the
> storage engine.  The only changes to this database were done by the BASE
> script that adds the acid tables, which I ran a couple of years ago.

>
> Here are the results of the query:
>
> +--------+--------------+-----------------------------------+--------------+---------+---------+---------+--------------+
> | sig_id | sig_class_id | sig_name                          | sig_priority |
> sig_rev | sig_sid | sig_gid | events_count |
> +--------+--------------+-----------------------------------+--------------+---------+---------+---------+--------------+
> |  16501 |            4 | reputation: Packet is blacklisted |            2 |
> 1 |       1 |     136 |        65341 |
> |  17372 |            0 | reputation: Packet is blacklisted |            0 |
> 1 |       1 |     136 |            0 |
> +--------+--------------+-----------------------------------+--------------+---------+---------+---------+--------------+
>

Seem's like you have some left over from 2-1.11 in your signature table.
Signature with (sig_class_id of 0) and or priority of 0. And this is what
is causing the issue.


Here is how you can fix this.

Stop all barnyard2 processes.

1. copy/paste the body below in a mysql query (in the console client)
without the
<STOREDPROC MYSQL> and </STOREDPROC MYSQL>.

< STOREDPROC MYSQL>
DROP PROCEDURE fixsigs;
delimiter $$
CREATE PROCEDURE fixsigs(IN proc_gid INT,OUT return_val varchar(50))
BEGIN
DECLARE GID_COUNT INT;
DECLARE GID_SID_MIN INT;
DECLARE GID_SID_MAX INT;
DECLARE C_SID INT;
DECLARE cursorGIDSid CURSOR FOR SELECT MIN(sig_sid),MAX(sig_sid) FROM
signature WHERE sig_gid=proc_gid;
DECLARE cursorGIDcount CURSOR FOR SELECT COUNT(sig_sid) FROM signature
WHERE sig_gid=proc_gid GROUP BY sig_gid;
OPEN cursorGIDcount;
FETCH cursorGIDcount INTO GID_COUNT;
IF GID_COUNT > 1 THEN
SET return_val = 'OPERATED';
OPEN cursorGIDSid;
FETCH cursorGIDSid INTO GID_SID_MIN,GID_SID_MAX;
SET return_val = CONCAT(return_val,' MIN:',GID_SID_MIN,' MAX: ',GID_SID_MAX);

SET C_SID = GID_SID_MIN;
WHILE C_SID <= GID_SID_MAX DO
UPDATE event SET signature=(SELECT sig_id FROM signature WHERE
sig_gid=proc_gid AND sig_sid=C_SID AND sig_class_id <> 0 and
sig_priority <> 0) WHERE signature IN (SELECT sig_id FROM signature
WHERE sig_gid=proc_gid AND sig_sid=C_SID AND sig_class_id ='0' and
sig_priority='0');
DELETE FROM signature WHERE sig_gid=proc_gid AND sig_sid=C_SID AND
sig_class_id='0' AND sig_priority='0';

SET C_SID = C_SID + 1;
END WHILE;
CLOSE cursorGIDSid;

ELSE
SET return_val = 'NOTHING TO DO';
END IF;
CLOSE cursorGIDcount;
END$$
delimiter ;
</STOREDPROC MYSQL>

2.
in a other query drop the following and let it execute.
 (without < START> and <END>)
And please include the result of the execution if you can.
Also make sure that you execute the below call's in the same session
you executed the above
sql , else fixsigs procedure  will not exist and below calls will fail.

< START>
call fixsigs(100, at a);
call fixsigs(101, at a);
call fixsigs(102, at a);
call fixsigs(103, at a);
call fixsigs(104, at a);
call fixsigs(105, at a);
call fixsigs(106, at a);
call fixsigs(110, at a);
call fixsigs(111, at a);
call fixsigs(112, at a);
call fixsigs(113, at a);
call fixsigs(114, at a);
call fixsigs(115, at a);
call fixsigs(116, at a);
call fixsigs(117, at a);
call fixsigs(118, at a);
call fixsigs(119, at a);
call fixsigs(120, at a);
call fixsigs(121, at a);
call fixsigs(122, at a);
call fixsigs(123, at a);
call fixsigs(124, at a);
call fixsigs(125, at a);
call fixsigs(126, at a);
call fixsigs(128, at a);
call fixsigs(129, at a);
call fixsigs(130, at a);
call fixsigs(131, at a);
call fixsigs(133, at a);
call fixsigs(134, at a);
call fixsigs(135, at a);
call fixsigs(136, at a);
call fixsigs(137, at a);
call fixsigs(138, at a);
call fixsigs(139, at a);
call fixsigs(140, at a);
call fixsigs(141, at a);
call fixsigs(142, at a);
call fixsigs(143, at a);
call fixsigs(144, at a);
call fixsigs(145, at a);
call fixsigs(2, at a);
call fixsigs(3, at a);
< END>

3. restart barnyard2




More information about the Snort-users mailing list