[Snort-users] Snort, barnyard2, snorby issue

Ward Sladek wsladekjr at ...125...
Fri Mar 6 09:32:14 EST 2015


I've run into crash issues w/ later builds of barnyard2 and always reverted back to version 2.1.9 (Build 263) (never once had this build crash on me)...  You could try this older version if nothing else.

> From: florian at ...17112...
> Date: Fri, 6 Mar 2015 10:51:27 +0100
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Snort, barnyard2, snorby issue
> 
> Hi,
> 
> I believe there was a post about this same issue before
> (http://seclists.org/snort/2014/q4/40).
> 
> Sporadically, barnyard2 crashes after some failed DB transaction. Most
> of the time it works fine, sometimes some transactions fail (but don’t
> crash barnyard), but sometimes they do.
> 
> Snort/barnyard2 are running from the latest pfSense package. I’ve
> installed snorby following the relevant parts from this guide:
> http://virtuallyhyper.com/2014/04/snort-debian/. So barnyard is
> writing to the database as prepared / created by snorby.
> 
> Thanks for any pointers!
> 
> Here’s an example of one that didn’t crash barnyard:
> 
> Mar 6 02:54:50barnyard2[153]: WARNING database [Database()]: End of
> failed transaction block
> ,Mar 6 02:54:50barnyard2[153]: WARNING database: Failed Query Position
> [3] Failed Query Body [INSERT INTO iphdr (sid, cid, ip_src, ip_dst,
> ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl,
> ip_proto, ip_csum) VALUES
> (5,253,<not-telling><not-telling>,4,5,0,40,42410,0,0,127,6,57460);]
> Mar 6 02:54:50barnyard2[153]: WARNING database: Failed Query Position
> [2] Failed Query Body [INSERT INTO tcphdr (sid, cid, tcp_sport,
> tcp_dport, tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win,
> tcp_csum, tcp_urp) VALUES
> (5,253,4904,80,2911421922,1430277470,5,0,16,65417,4376,0);]
> Mar 6 02:54:50barnyard2[153]: WARNING database: Failed Query Position
> [1] Failed Query Body [INSERT INTO event (sid,cid,signature,timestamp)
> VALUES (5, 253, 58713, '2015-03-06 02:54:44');]
> Mar 6 02:54:50barnyard2[153]: WARNING database: [Database()] Failed
> transaction with current query transaction
> Mar 6 02:54:50barnyard2[153]: [Database()]: Insertion of Query [INSERT
> INTO event (sid,cid,signature,timestamp) VALUES (5, 253, 58713,
> '2015-03-06 02:54:44');] failed
> 
> Here’s an example of one that CRASHES barnyard:
> 
> Mar 6 03:50:54barnyard2[153]: Barnyard2 exiting
> Mar 6 03:50:54barnyard2[153]: FATAL ERROR: database Unable to rollback
> transaction in [Database()]
> Mar 6 03:50:54barnyard2[153]: [RollbackTransaction(): Call failed, we
> reached the maximum number of transaction error [10]
> Mar 6 03:50:54barnyard2[153]: WARNING database [Database()]: End of
> failed transaction block
> Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
> [6] Failed Query Body [INSERT INTO iphdr (sid, cid, ip_src, ip_dst,
> ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl,
> ip_proto, ip_csum) VALUES
> (5,259,<not-telling>,<not-telling>,4,5,0,60,49293,0,0,63,6,32628);]
> Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
> [5] Failed Query Body [INSERT INTO opt
> (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) VALUES
> (5,259,4,6,3,1,'07');]
> Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
> [4] Failed Query Body [INSERT INTO opt
> (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) VALUES
> (5,259,2,6,8,8,'5C7D05F600000000');]
> Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
> [3] Failed Query Body [INSERT INTO opt
> (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) VALUES
> (5,259,0,6,2,2,'05B4');]
> Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
> [2] Failed Query Body [INSERT INTO tcphdr (sid, cid, tcp_sport,
> tcp_dport, tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win,
> tcp_csum, tcp_urp) VALUES
> (5,259,59772,22,1147913595,0,10,0,2,5840,57224,0);]
> Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
> [1] Failed Query Body [INSERT INTO event (sid,cid,signature,timestamp)
> VALUES (5, 259, 74262, '2015-03-06 03:50:49');]
> Mar 6 03:50:54barnyard2[153]: WARNING database: [Database()] Failed
> transaction with current query transaction
> 
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the 
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150306/f17d418c/attachment.html>


More information about the Snort-users mailing list