[Snort-users] Snort, barnyard2, snorby issue

Florian Knorn florian at ...17112...
Fri Mar 6 04:51:27 EST 2015


Hi,

I believe there was a post about this same issue before
(http://seclists.org/snort/2014/q4/40).

Sporadically, barnyard2 crashes after some failed DB transaction. Most
of the time it works fine, sometimes some transactions fail (but don’t
crash barnyard), but sometimes they do.

Snort/barnyard2 are running from the latest pfSense package. I’ve
installed snorby following the relevant parts from this guide:
http://virtuallyhyper.com/2014/04/snort-debian/. So barnyard is
writing to the database as prepared / created by snorby.

Thanks for any pointers!

Here’s an example of one that didn’t crash barnyard:

Mar 6 02:54:50barnyard2[153]: WARNING database [Database()]: End of
failed transaction block
,Mar 6 02:54:50barnyard2[153]: WARNING database: Failed Query Position
[3] Failed Query Body [INSERT INTO iphdr (sid, cid, ip_src, ip_dst,
ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl,
ip_proto, ip_csum) VALUES
(5,253,<not-telling><not-telling>,4,5,0,40,42410,0,0,127,6,57460);]
Mar 6 02:54:50barnyard2[153]: WARNING database: Failed Query Position
[2] Failed Query Body [INSERT INTO tcphdr (sid, cid, tcp_sport,
tcp_dport, tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win,
tcp_csum, tcp_urp) VALUES
(5,253,4904,80,2911421922,1430277470,5,0,16,65417,4376,0);]
Mar 6 02:54:50barnyard2[153]: WARNING database: Failed Query Position
[1] Failed Query Body [INSERT INTO event (sid,cid,signature,timestamp)
VALUES (5, 253, 58713, '2015-03-06 02:54:44');]
Mar 6 02:54:50barnyard2[153]: WARNING database: [Database()] Failed
transaction with current query transaction
Mar 6 02:54:50barnyard2[153]: [Database()]: Insertion of Query [INSERT
INTO event (sid,cid,signature,timestamp) VALUES (5, 253, 58713,
'2015-03-06 02:54:44');] failed

Here’s an example of one that CRASHES barnyard:

Mar 6 03:50:54barnyard2[153]: Barnyard2 exiting
Mar 6 03:50:54barnyard2[153]: FATAL ERROR: database Unable to rollback
transaction in [Database()]
Mar 6 03:50:54barnyard2[153]: [RollbackTransaction(): Call failed, we
reached the maximum number of transaction error [10]
Mar 6 03:50:54barnyard2[153]: WARNING database [Database()]: End of
failed transaction block
Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
[6] Failed Query Body [INSERT INTO iphdr (sid, cid, ip_src, ip_dst,
ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl,
ip_proto, ip_csum) VALUES
(5,259,<not-telling>,<not-telling>,4,5,0,60,49293,0,0,63,6,32628);]
Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
[5] Failed Query Body [INSERT INTO opt
(sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) VALUES
(5,259,4,6,3,1,'07');]
Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
[4] Failed Query Body [INSERT INTO opt
(sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) VALUES
(5,259,2,6,8,8,'5C7D05F600000000');]
Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
[3] Failed Query Body [INSERT INTO opt
(sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) VALUES
(5,259,0,6,2,2,'05B4');]
Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
[2] Failed Query Body [INSERT INTO tcphdr (sid, cid, tcp_sport,
tcp_dport, tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win,
tcp_csum, tcp_urp) VALUES
(5,259,59772,22,1147913595,0,10,0,2,5840,57224,0);]
Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
[1] Failed Query Body [INSERT INTO event (sid,cid,signature,timestamp)
VALUES (5, 259, 74262, '2015-03-06 03:50:49');]
Mar 6 03:50:54barnyard2[153]: WARNING database: [Database()] Failed
transaction with current query transaction




More information about the Snort-users mailing list