[Snort-users] mysql_error: Duplicate entry 1-2 for key PRIMARY table event

Jeremy Hoel jthoel at ...11827...
Wed May 14 12:50:59 EDT 2014


This is a BY2 error (as you stated) and not a snort error, it would be best
to post it to the BY2 mailing list.

https://groups.google.com/forum/#!forum/barnyard2-users

And in reference to this problem, it's something that happens with BY2 when
two tasks update the table at basically the same time.

There are fixes involving editing the database table.

https://groups.google.com/forum/#!searchin/barnyard2-users/%22database$20mysql_error$3A$20Duplicate$20entry%22$20primary




On Wed, May 14, 2014 at 9:34 AM, c0re <nr1c0re at ...11827...> wrote:

> Hello snort users!
>
> I'm trying to setup barnyard2 and keep failing with it.
> When I start barnyard2:
>
> /usr/local/barnyard2-1.13/bin/barnyard2 -c
> /usr/local/barnyard2-1.13/etc/barnyard2.conf -d /var/log/snort -w
> /var/log/barnyard2/snort_dmz2.log.waldo -vvv -f snort_dmz2.log
>
> It starts good. But when I start snort, barnyard2 see new unifeid2 logs
> and tryed to insert in database and gives Fatal error:
>
> Opened spool file '/var/log/snort/snort_dmz2.log.1399902485'
> 05/12-17:48:05.783972  [**] [124:1:1] <dmz2> smtp: Attempted command
> buffer overflow [**] [Classification: Attempted Administrator Privilege
> Gain] [Priority: 1] {TCP} 1.1.1.1:28882 -> 2.2.2.2:25
> 05/12-17:48:05.815952  [**] [124:1:1] <dmz2> smtp: Attempted command
> buffer overflow [**] [Classification: Attempted Administrator Privilege
> Gain] [Priority: 1] {TCP} 1.1.1.1:28882 -> 2.2.2.2:25
> ERROR: database mysql_error: Duplicate entry '1-2' for key 'PRIMARY'
>         SQL=[INSERT INTO event (sid,cid,signature,timestamp) VALUES (1, 2,
> 253, '2014-05-12 17:48:05');]
> Fatal Error, Quitting..
> Barnyard2 exiting
>
> I have fresh install of snort, pulledpork and barnyard2.
>
> OS FreeBSD 8.3-RELEASE-p8
> snort-2.9.6.0_1
> pulledpork-0.7.0
> barnyard2-1.13 built with --enable-debug, latest bug-fix from git because
> I had ERROR 0x0 and 0x7 in 1.13 version.
>
> I've got only one snort instance and fresh database for barnyard2.
> Tables in DB are InnoDB type.
>
> barnyard2 config:
>
> cool-ids# egrep -v '^$|^#' /usr/local/barnyard2-1.13/etc/barnyard2.conf
> config reference_file:      /usr/local/etc/snort/reference.config
> config classification_file: /usr/local/etc/snort/classification.config
> config gen_file:            /usr/local/etc/snort/gen-msg.map
> config sid_file:            /usr/local/etc/snort/sid-msg.map
> config hostname:   cool-ids
> config interface:  dmz2
> config alert_with_interface_name
> config process_new_records_only
> input unified2
> output alert_fast: stdout
> output database: alert, mysql, user=snort password=mypw dbname=snort
> host=5.5.5.5
> output database: log, mysql, user=snort password=mypw dbname=snort
> host=5.5.5.5
>
> Full log of barnyard2:
>
> cool-ids# /usr/local/barnyard2-1.13/bin/barnyard2 -c
> /usr/local/barnyard2-1.13/etc/barnyard2.conf -d /var/log/snort -w
> /var/log/barnyard2/snort_dmz2.log.waldo -vvv -f snort_dmz2.log
> Running in Continuous mode
>
>         --== Initializing Barnyard2 ==--
> Initializing Input Plugins!
> Initializing Output Plugins!
> DEBUG => [Alert_FWsam](AlertFWsamSetup) Output plugin is plugged in...
> Parsing config file "/usr/local/barnyard2-1.13/etc/barnyard2.conf"
>
>
> +[ Signature Suppress list ]+
> ----------------------------
> +[No entry in Signature Suppress List]+
> ----------------------------
> +[ Signature Suppress list ]+
>
> Barnyard2 spooler: Event cache size set to [2048]
> Log directory = /var/log/barnyard2
> INFO database: Defaulting Reconnect/Transaction Error limit to 10
> INFO database: Defaulting Reconnect sleep time to 5 second
> INFO database: Defaulting Reconnect/Transaction Error limit to 10
> INFO database: Defaulting Reconnect sleep time to 5 second
> Node unique name is: cool-ids:dmz2
>
> [ClassificationPullDataStore()]: No Classification found in database ...
> [SignaturePullDataStore()]: No signature found in database ...
> [SystemPullDataStore()]: No System found in database ...
> [ReferencePullDataStore()]: No Reference found in database ...
> [SignatureReferencePullDataStore()]: No Reference found in database ...
> database: compiled support for (mysql)
> database: configured to use mysql
> database: schema version = 107
> database:           host = 5.5.5.5
> database:           user = snort
> database:  database name = snort
> database:    sensor name = cool-ids:dmz2
> database:      sensor id = 1
> database:     sensor cid = 1
> database:  data encoding = hex
> database:   detail level = full
> database:     ignore_bpf = no
> database: using the "alert" facility
> Node unique name is: cool-ids:dmz2
>
> database: compiled support for (mysql)
> database: configured to use mysql
> database: schema version = 107
> database:           host = 5.5.5.5
> database:           user = snort
> database:  database name = snort
> database:    sensor name = cool-ids:dmz2
> database:      sensor id = 1
> database:     sensor cid = 2
> database:  data encoding = hex
> database:   detail level = full
> database:     ignore_bpf = no
> database: using the "log" facility
> -------------------------------------------------
>  Keyword     |          Input @
> -------------------------------------------------
> unified2     : init() = 0x445970
> unified2     :   - readRecordHeader() = 0x4459f0
> unified2     :   - readRecord()       = 0x445bd0
> -------------------------------------------------
>
> -------------------------------------------------
>  Keyword     |          Output @
> -------------------------------------------------
> alert_cef    :       0x429d90
> alert_syslog :       0x430210
> log_tcpdump  :       0x432da0
> database     :       0x439f70
> alert_fast   :       0x42bb00
> alert_full   :       0x42c720
> alert_fwsam  :       0x42cf30
> alert_unixsock:       0x431770
> alert_csv    :       0x42a7e0
> log_null     :       0x432ca0
> log_ascii    :       0x432030
> alert_test   :       0x430fd0
> sguil        :       0x433b30
> alert_syslog_full:       0x434d60
> log_syslog_full:       0x434d40
> -------------------------------------------------
>
>
>         --== Initialization Complete ==--
>
>   ______   -*> Barnyard2 <*-
>  / ,,_  \  Version 2.1.13 (Build 333) DEBUG
>  |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
>  + '''' +  (C) Copyright 2008-2013 Ian Firns <firnsy at ...14568...>
>
> WARNING: Ignoring corrupt/truncated waldofile
> '/var/log/barnyard2/snort_dmz2.log.waldo'
> Waiting for new spool file
> Opened spool file '/var/log/snort/snort_dmz2.log.1399902485'
> 05/12-17:48:05.783972  [**] [124:1:1] <dmz2> smtp: Attempted command
> buffer overflow [**] [Classification: Attempted Administrator Privilege
> Gain] [Priority: 1] {TCP} 1.1.1.1:28882 -> 2.2.2.2:25
> 05/12-17:48:05.815952  [**] [124:1:1] <dmz2> smtp: Attempted command
> buffer overflow [**] [Classification: Attempted Administrator Privilege
> Gain] [Priority: 1] {TCP} 1.1.1.1:28882 -> 2.2.2.2:25
> ERROR: database mysql_error: Duplicate entry '1-2' for key 'PRIMARY'
>         SQL=[INSERT INTO event (sid,cid,signature,timestamp) VALUES (1, 2,
> 253, '2014-05-12 17:48:05');]
> Fatal Error, Quitting..
> Barnyard2 exiting
> database: Closing connection to database "snort"
> database: Closing connection to database "snort"
>
> ===============================================================================
> Record Totals:
>    Records:           3
>    Events:           1 (33.333%)
>    Packets:           2 (66.667%)
>    Unknown:           0 (0.000%)
>    Suppressed:           0 (0.000%)
>
> ===============================================================================
> Packet breakdown by protocol (includes rebuilt packets):
>       ETH: 2          (100.000%)
>   ETHdisc: 0          (0.000%)
>      VLAN: 0          (0.000%)
>      IPV6: 0          (0.000%)
>   IP6 EXT: 0          (0.000%)
>   IP6opts: 0          (0.000%)
>   IP6disc: 0          (0.000%)
>       IP4: 2          (100.000%)
>   IP4disc: 0          (0.000%)
>     TCP 6: 0          (0.000%)
>     UDP 6: 0          (0.000%)
>     ICMP6: 0          (0.000%)
>   ICMP-IP: 0          (0.000%)
>       TCP: 2          (100.000%)
>       UDP: 0          (0.000%)
>      ICMP: 0          (0.000%)
>   TCPdisc: 0          (0.000%)
>   UDPdisc: 0          (0.000%)
>   ICMPdis: 0          (0.000%)
>      FRAG: 0          (0.000%)
>    FRAG 6: 0          (0.000%)
>       ARP: 0          (0.000%)
>     EAPOL: 0          (0.000%)
>   ETHLOOP: 0          (0.000%)
>       IPX: 0          (0.000%)
> IPv4/IPv4: 0          (0.000%)
> IPv4/IPv6: 0          (0.000%)
> IPv6/IPv4: 0          (0.000%)
> IPv6/IPv6: 0          (0.000%)
>       GRE: 0          (0.000%)
>   GRE ETH: 0          (0.000%)
>  GRE VLAN: 0          (0.000%)
>  GRE IPv4: 0          (0.000%)
>  GRE IPv6: 0          (0.000%)
> GRE IP6 E: 0          (0.000%)
>  GRE PPTP: 0          (0.000%)
>   GRE ARP: 0          (0.000%)
>   GRE IPX: 0          (0.000%)
>  GRE LOOP: 0          (0.000%)
>      MPLS: 0          (0.000%)
>     OTHER: 0          (0.000%)
>   DISCARD: 0          (0.000%)
> InvChkSum: 0          (0.000%)
>    S5 G 1: 0          (0.000%)
>    S5 G 2: 0          (0.000%)
>     Total: 2
>
> ===============================================================================
> Closing spool file '/var/log/snort/snort_dmz2.log.1399902485'. Read 3
> records
> cool-ids#
>
> What is happening? What can I do with it?
>
> It's fresh and empty DB, that populated when barnyard2 starts, but failes
> in no more than 5 recors with Duplicate entry error.
>
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform
> available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140514/5e08a12e/attachment.html>


More information about the Snort-users mailing list