[Snort-users] Snort, barnyard2, snorby issue

Juan Jesus Prieto jjprieto at ...16842...
Fri Mar 6 11:39:44 EST 2015


Hi Florian,

   This is an common issue with barnyard2. Sometimes, it fails with 
database transaction and, when you reach tha maximun number of fails, 
the barnyard2 process exit. You will need to debug the database side in 
order to determine wich transaction is failling and why.

   The problem with barnyard2 database output pluging is that it is very 
weak (latencies, busy database server, etc, may be part of the problem). 
We have solved it creating a new output plugin that use apache kafka, 
capable of sending thousands of alerts per second. You can download the 
project from the clon at github:

https://github.com/redBorder/barnyard2

   Regards.


El 06/03/15 a las 10:51, Florian Knorn escribió:
> Hi,
>
> I believe there was a post about this same issue before
> (http://seclists.org/snort/2014/q4/40).
>
> Sporadically, barnyard2 crashes after some failed DB transaction. Most
> of the time it works fine, sometimes some transactions fail (but don’t
> crash barnyard), but sometimes they do.
>
> Snort/barnyard2 are running from the latest pfSense package. I’ve
> installed snorby following the relevant parts from this guide:
> http://virtuallyhyper.com/2014/04/snort-debian/. So barnyard is
> writing to the database as prepared / created by snorby.
>
> Thanks for any pointers!
>
> Here’s an example of one that didn’t crash barnyard:
>
> Mar 6 02:54:50barnyard2[153]: WARNING database [Database()]: End of
> failed transaction block
> ,Mar 6 02:54:50barnyard2[153]: WARNING database: Failed Query Position
> [3] Failed Query Body [INSERT INTO iphdr (sid, cid, ip_src, ip_dst,
> ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl,
> ip_proto, ip_csum) VALUES
> (5,253,<not-telling><not-telling>,4,5,0,40,42410,0,0,127,6,57460);]
> Mar 6 02:54:50barnyard2[153]: WARNING database: Failed Query Position
> [2] Failed Query Body [INSERT INTO tcphdr (sid, cid, tcp_sport,
> tcp_dport, tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win,
> tcp_csum, tcp_urp) VALUES
> (5,253,4904,80,2911421922,1430277470,5,0,16,65417,4376,0);]
> Mar 6 02:54:50barnyard2[153]: WARNING database: Failed Query Position
> [1] Failed Query Body [INSERT INTO event (sid,cid,signature,timestamp)
> VALUES (5, 253, 58713, '2015-03-06 02:54:44');]
> Mar 6 02:54:50barnyard2[153]: WARNING database: [Database()] Failed
> transaction with current query transaction
> Mar 6 02:54:50barnyard2[153]: [Database()]: Insertion of Query [INSERT
> INTO event (sid,cid,signature,timestamp) VALUES (5, 253, 58713,
> '2015-03-06 02:54:44');] failed
>
> Here’s an example of one that CRASHES barnyard:
>
> Mar 6 03:50:54barnyard2[153]: Barnyard2 exiting
> Mar 6 03:50:54barnyard2[153]: FATAL ERROR: database Unable to rollback
> transaction in [Database()]
> Mar 6 03:50:54barnyard2[153]: [RollbackTransaction(): Call failed, we
> reached the maximum number of transaction error [10]
> Mar 6 03:50:54barnyard2[153]: WARNING database [Database()]: End of
> failed transaction block
> Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
> [6] Failed Query Body [INSERT INTO iphdr (sid, cid, ip_src, ip_dst,
> ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl,
> ip_proto, ip_csum) VALUES
> (5,259,<not-telling>,<not-telling>,4,5,0,60,49293,0,0,63,6,32628);]
> Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
> [5] Failed Query Body [INSERT INTO opt
> (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) VALUES
> (5,259,4,6,3,1,'07');]
> Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
> [4] Failed Query Body [INSERT INTO opt
> (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) VALUES
> (5,259,2,6,8,8,'5C7D05F600000000');]
> Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
> [3] Failed Query Body [INSERT INTO opt
> (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) VALUES
> (5,259,0,6,2,2,'05B4');]
> Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
> [2] Failed Query Body [INSERT INTO tcphdr (sid, cid, tcp_sport,
> tcp_dport, tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win,
> tcp_csum, tcp_urp) VALUES
> (5,259,59772,22,1147913595,0,10,0,2,5840,57224,0);]
> Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
> [1] Failed Query Body [INSERT INTO event (sid,cid,signature,timestamp)
> VALUES (5, 259, 74262, '2015-03-06 03:50:49');]
> Mar 6 03:50:54barnyard2[153]: WARNING database: [Database()] Failed
> transaction with current query transaction
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list