[Snort-users] mysql_error: Duplicate entry 1-2 for key PRIMARY table event

beenph beenph at ...11827...
Sat May 24 13:32:32 EDT 2014


It can also happen when people have upgraded from <2-1.13 and have not
read the release notes that ask to delete the sig_reference table
before upgrading.

https://groups.google.com/forum/#!topic/barnyard2-users/IIoyClc7XTc
<SNIP>
UPGRADE REQUIREMENTS

If you are upgrading to barnyard2 2-1.13 (build 327) or above from a
previous version and using output database.

You will need to delete every row in your sig_reference table. (DELETE
FROM sig_reference;)

The table will be re-populated at startup, and has no impact on historical data.
</SNIP>

On Wed, May 14, 2014 at 12:50 PM, Jeremy Hoel <jthoel at ...11827...> wrote:
> This is a BY2 error (as you stated) and not a snort error, it would be best
> to post it to the BY2 mailing list.
>
> https://groups.google.com/forum/#!forum/barnyard2-users
>
> And in reference to this problem, it's something that happens with BY2 when
> two tasks update the table at basically the same time.
>
> There are fixes involving editing the database table.
>
> https://groups.google.com/forum/#!searchin/barnyard2-users/%22database$20mysql_error$3A$20Duplicate$20entry%22$20primary
>
>
>
>
> On Wed, May 14, 2014 at 9:34 AM, c0re <nr1c0re at ...11827...> wrote:
>>
>> Hello snort users!
>>
>> I'm trying to setup barnyard2 and keep failing with it.
>> When I start barnyard2:
>>
>> /usr/local/barnyard2-1.13/bin/barnyard2 -c
>> /usr/local/barnyard2-1.13/etc/barnyard2.conf -d /var/log/snort -w
>> /var/log/barnyard2/snort_dmz2.log.waldo -vvv -f snort_dmz2.log
>>
>> It starts good. But when I start snort, barnyard2 see new unifeid2 logs
>> and tryed to insert in database and gives Fatal error:
>>
>> Opened spool file '/var/log/snort/snort_dmz2.log.1399902485'
>> 05/12-17:48:05.783972  [**] [124:1:1] <dmz2> smtp: Attempted command
>> buffer overflow [**] [Classification: Attempted Administrator Privilege
>> Gain] [Priority: 1] {TCP} 1.1.1.1:28882 -> 2.2.2.2:25
>> 05/12-17:48:05.815952  [**] [124:1:1] <dmz2> smtp: Attempted command
>> buffer overflow [**] [Classification: Attempted Administrator Privilege
>> Gain] [Priority: 1] {TCP} 1.1.1.1:28882 -> 2.2.2.2:25
>> ERROR: database mysql_error: Duplicate entry '1-2' for key 'PRIMARY'
>>         SQL=[INSERT INTO event (sid,cid,signature,timestamp) VALUES (1, 2,
>> 253, '2014-05-12 17:48:05');]
>> Fatal Error, Quitting..
>> Barnyard2 exiting
>>
>> I have fresh install of snort, pulledpork and barnyard2.
>>
>> OS FreeBSD 8.3-RELEASE-p8
>> snort-2.9.6.0_1
>> pulledpork-0.7.0
>> barnyard2-1.13 built with --enable-debug, latest bug-fix from git because
>> I had ERROR 0x0 and 0x7 in 1.13 version.
>>
>> I've got only one snort instance and fresh database for barnyard2.
>> Tables in DB are InnoDB type.
>>
>> barnyard2 config:
>>
>> cool-ids# egrep -v '^$|^#' /usr/local/barnyard2-1.13/etc/barnyard2.conf
>> config reference_file:      /usr/local/etc/snort/reference.config
>> config classification_file: /usr/local/etc/snort/classification.config
>> config gen_file:            /usr/local/etc/snort/gen-msg.map
>> config sid_file:            /usr/local/etc/snort/sid-msg.map
>> config hostname:   cool-ids
>> config interface:  dmz2
>> config alert_with_interface_name
>> config process_new_records_only
>> input unified2
>> output alert_fast: stdout
>> output database: alert, mysql, user=snort password=mypw dbname=snort
>> host=5.5.5.5
>> output database: log, mysql, user=snort password=mypw dbname=snort
>> host=5.5.5.5
>>
>> Full log of barnyard2:
>>
>> cool-ids# /usr/local/barnyard2-1.13/bin/barnyard2 -c
>> /usr/local/barnyard2-1.13/etc/barnyard2.conf -d /var/log/snort -w
>> /var/log/barnyard2/snort_dmz2.log.waldo -vvv -f snort_dmz2.log
>> Running in Continuous mode
>>
>>         --== Initializing Barnyard2 ==--
>> Initializing Input Plugins!
>> Initializing Output Plugins!
>> DEBUG => [Alert_FWsam](AlertFWsamSetup) Output plugin is plugged in...
>> Parsing config file "/usr/local/barnyard2-1.13/etc/barnyard2.conf"
>>
>>
>> +[ Signature Suppress list ]+
>> ----------------------------
>> +[No entry in Signature Suppress List]+
>> ----------------------------
>> +[ Signature Suppress list ]+
>>
>> Barnyard2 spooler: Event cache size set to [2048]
>> Log directory = /var/log/barnyard2
>> INFO database: Defaulting Reconnect/Transaction Error limit to 10
>> INFO database: Defaulting Reconnect sleep time to 5 second
>> INFO database: Defaulting Reconnect/Transaction Error limit to 10
>> INFO database: Defaulting Reconnect sleep time to 5 second
>> Node unique name is: cool-ids:dmz2
>>
>> [ClassificationPullDataStore()]: No Classification found in database ...
>> [SignaturePullDataStore()]: No signature found in database ...
>> [SystemPullDataStore()]: No System found in database ...
>> [ReferencePullDataStore()]: No Reference found in database ...
>> [SignatureReferencePullDataStore()]: No Reference found in database ...
>> database: compiled support for (mysql)
>> database: configured to use mysql
>> database: schema version = 107
>> database:           host = 5.5.5.5
>> database:           user = snort
>> database:  database name = snort
>> database:    sensor name = cool-ids:dmz2
>> database:      sensor id = 1
>> database:     sensor cid = 1
>> database:  data encoding = hex
>> database:   detail level = full
>> database:     ignore_bpf = no
>> database: using the "alert" facility
>> Node unique name is: cool-ids:dmz2
>>
>> database: compiled support for (mysql)
>> database: configured to use mysql
>> database: schema version = 107
>> database:           host = 5.5.5.5
>> database:           user = snort
>> database:  database name = snort
>> database:    sensor name = cool-ids:dmz2
>> database:      sensor id = 1
>> database:     sensor cid = 2
>> database:  data encoding = hex
>> database:   detail level = full
>> database:     ignore_bpf = no
>> database: using the "log" facility
>> -------------------------------------------------
>>  Keyword     |          Input @
>> -------------------------------------------------
>> unified2     : init() = 0x445970
>> unified2     :   - readRecordHeader() = 0x4459f0
>> unified2     :   - readRecord()       = 0x445bd0
>> -------------------------------------------------
>>
>> -------------------------------------------------
>>  Keyword     |          Output @
>> -------------------------------------------------
>> alert_cef    :       0x429d90
>> alert_syslog :       0x430210
>> log_tcpdump  :       0x432da0
>> database     :       0x439f70
>> alert_fast   :       0x42bb00
>> alert_full   :       0x42c720
>> alert_fwsam  :       0x42cf30
>> alert_unixsock:       0x431770
>> alert_csv    :       0x42a7e0
>> log_null     :       0x432ca0
>> log_ascii    :       0x432030
>> alert_test   :       0x430fd0
>> sguil        :       0x433b30
>> alert_syslog_full:       0x434d60
>> log_syslog_full:       0x434d40
>> -------------------------------------------------
>>
>>
>>         --== Initialization Complete ==--
>>
>>   ______   -*> Barnyard2 <*-
>>  / ,,_  \  Version 2.1.13 (Build 333) DEBUG
>>  |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
>>  + '''' +  (C) Copyright 2008-2013 Ian Firns <firnsy at ...14568...>
>>
>> WARNING: Ignoring corrupt/truncated waldofile
>> '/var/log/barnyard2/snort_dmz2.log.waldo'
>> Waiting for new spool file
>> Opened spool file '/var/log/snort/snort_dmz2.log.1399902485'
>> 05/12-17:48:05.783972  [**] [124:1:1] <dmz2> smtp: Attempted command
>> buffer overflow [**] [Classification: Attempted Administrator Privilege
>> Gain] [Priority: 1] {TCP} 1.1.1.1:28882 -> 2.2.2.2:25
>> 05/12-17:48:05.815952  [**] [124:1:1] <dmz2> smtp: Attempted command
>> buffer overflow [**] [Classification: Attempted Administrator Privilege
>> Gain] [Priority: 1] {TCP} 1.1.1.1:28882 -> 2.2.2.2:25
>> ERROR: database mysql_error: Duplicate entry '1-2' for key 'PRIMARY'
>>         SQL=[INSERT INTO event (sid,cid,signature,timestamp) VALUES (1, 2,
>> 253, '2014-05-12 17:48:05');]
>> Fatal Error, Quitting..
>> Barnyard2 exiting
>> database: Closing connection to database "snort"
>> database: Closing connection to database "snort"
>>
>> ===============================================================================
>> Record Totals:
>>    Records:           3
>>    Events:           1 (33.333%)
>>    Packets:           2 (66.667%)
>>    Unknown:           0 (0.000%)
>>    Suppressed:           0 (0.000%)
>>
>> ===============================================================================
>> Packet breakdown by protocol (includes rebuilt packets):
>>       ETH: 2          (100.000%)
>>   ETHdisc: 0          (0.000%)
>>      VLAN: 0          (0.000%)
>>      IPV6: 0          (0.000%)
>>   IP6 EXT: 0          (0.000%)
>>   IP6opts: 0          (0.000%)
>>   IP6disc: 0          (0.000%)
>>       IP4: 2          (100.000%)
>>   IP4disc: 0          (0.000%)
>>     TCP 6: 0          (0.000%)
>>     UDP 6: 0          (0.000%)
>>     ICMP6: 0          (0.000%)
>>   ICMP-IP: 0          (0.000%)
>>       TCP: 2          (100.000%)
>>       UDP: 0          (0.000%)
>>      ICMP: 0          (0.000%)
>>   TCPdisc: 0          (0.000%)
>>   UDPdisc: 0          (0.000%)
>>   ICMPdis: 0          (0.000%)
>>      FRAG: 0          (0.000%)
>>    FRAG 6: 0          (0.000%)
>>       ARP: 0          (0.000%)
>>     EAPOL: 0          (0.000%)
>>   ETHLOOP: 0          (0.000%)
>>       IPX: 0          (0.000%)
>> IPv4/IPv4: 0          (0.000%)
>> IPv4/IPv6: 0          (0.000%)
>> IPv6/IPv4: 0          (0.000%)
>> IPv6/IPv6: 0          (0.000%)
>>       GRE: 0          (0.000%)
>>   GRE ETH: 0          (0.000%)
>>  GRE VLAN: 0          (0.000%)
>>  GRE IPv4: 0          (0.000%)
>>  GRE IPv6: 0          (0.000%)
>> GRE IP6 E: 0          (0.000%)
>>  GRE PPTP: 0          (0.000%)
>>   GRE ARP: 0          (0.000%)
>>   GRE IPX: 0          (0.000%)
>>  GRE LOOP: 0          (0.000%)
>>      MPLS: 0          (0.000%)
>>     OTHER: 0          (0.000%)
>>   DISCARD: 0          (0.000%)
>> InvChkSum: 0          (0.000%)
>>    S5 G 1: 0          (0.000%)
>>    S5 G 2: 0          (0.000%)
>>     Total: 2
>>
>> ===============================================================================
>> Closing spool file '/var/log/snort/snort_dmz2.log.1399902485'. Read 3
>> records
>> cool-ids#
>>
>> What is happening? What can I do with it?
>>
>> It's fresh and empty DB, that populated when barnyard2 starts, but failes
>> in no more than 5 recors with Duplicate entry error.
>>
>>
>>
>> ------------------------------------------------------------------------------
>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>> Instantly run your Selenium tests across 300+ browser/OS combos.
>> Get unparalleled scalability from the best Selenium testing platform
>> available
>> Simple to use. Nothing to install. Get started now for free."
>> http://p.sf.net/sfu/SauceLabs
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!
>
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform
> available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-users mailing list