[Snort-users] Snort, barnyard2, snorby issue

Joel Esler (jesler) jesler at ...589...
Fri Mar 6 16:23:35 EST 2015


have you guys submitted these changes upstream to barnyard2?


> On Mar 6, 2015, at 11:39 AM, Juan Jesus Prieto <jjprieto at ...16842...> wrote:
> 
> Hi Florian,
> 
>   This is an common issue with barnyard2. Sometimes, it fails with 
> database transaction and, when you reach tha maximun number of fails, 
> the barnyard2 process exit. You will need to debug the database side in 
> order to determine wich transaction is failling and why.
> 
>   The problem with barnyard2 database output pluging is that it is very 
> weak (latencies, busy database server, etc, may be part of the problem). 
> We have solved it creating a new output plugin that use apache kafka, 
> capable of sending thousands of alerts per second. You can download the 
> project from the clon at github:
> 
> https://github.com/redBorder/barnyard2
> 
>   Regards.
> 
> 
> El 06/03/15 a las 10:51, Florian Knorn escribió:
>> Hi,
>> 
>> I believe there was a post about this same issue before
>> (http://seclists.org/snort/2014/q4/40).
>> 
>> Sporadically, barnyard2 crashes after some failed DB transaction. Most
>> of the time it works fine, sometimes some transactions fail (but don’t
>> crash barnyard), but sometimes they do.
>> 
>> Snort/barnyard2 are running from the latest pfSense package. I’ve
>> installed snorby following the relevant parts from this guide:
>> http://virtuallyhyper.com/2014/04/snort-debian/. So barnyard is
>> writing to the database as prepared / created by snorby.
>> 
>> Thanks for any pointers!
>> 
>> Here’s an example of one that didn’t crash barnyard:
>> 
>> Mar 6 02:54:50barnyard2[153]: WARNING database [Database()]: End of
>> failed transaction block
>> ,Mar 6 02:54:50barnyard2[153]: WARNING database: Failed Query Position
>> [3] Failed Query Body [INSERT INTO iphdr (sid, cid, ip_src, ip_dst,
>> ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl,
>> ip_proto, ip_csum) VALUES
>> (5,253,<not-telling><not-telling>,4,5,0,40,42410,0,0,127,6,57460);]
>> Mar 6 02:54:50barnyard2[153]: WARNING database: Failed Query Position
>> [2] Failed Query Body [INSERT INTO tcphdr (sid, cid, tcp_sport,
>> tcp_dport, tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win,
>> tcp_csum, tcp_urp) VALUES
>> (5,253,4904,80,2911421922,1430277470,5,0,16,65417,4376,0);]
>> Mar 6 02:54:50barnyard2[153]: WARNING database: Failed Query Position
>> [1] Failed Query Body [INSERT INTO event (sid,cid,signature,timestamp)
>> VALUES (5, 253, 58713, '2015-03-06 02:54:44');]
>> Mar 6 02:54:50barnyard2[153]: WARNING database: [Database()] Failed
>> transaction with current query transaction
>> Mar 6 02:54:50barnyard2[153]: [Database()]: Insertion of Query [INSERT
>> INTO event (sid,cid,signature,timestamp) VALUES (5, 253, 58713,
>> '2015-03-06 02:54:44');] failed
>> 
>> Here’s an example of one that CRASHES barnyard:
>> 
>> Mar 6 03:50:54barnyard2[153]: Barnyard2 exiting
>> Mar 6 03:50:54barnyard2[153]: FATAL ERROR: database Unable to rollback
>> transaction in [Database()]
>> Mar 6 03:50:54barnyard2[153]: [RollbackTransaction(): Call failed, we
>> reached the maximum number of transaction error [10]
>> Mar 6 03:50:54barnyard2[153]: WARNING database [Database()]: End of
>> failed transaction block
>> Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
>> [6] Failed Query Body [INSERT INTO iphdr (sid, cid, ip_src, ip_dst,
>> ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl,
>> ip_proto, ip_csum) VALUES
>> (5,259,<not-telling>,<not-telling>,4,5,0,60,49293,0,0,63,6,32628);]
>> Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
>> [5] Failed Query Body [INSERT INTO opt
>> (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) VALUES
>> (5,259,4,6,3,1,'07');]
>> Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
>> [4] Failed Query Body [INSERT INTO opt
>> (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) VALUES
>> (5,259,2,6,8,8,'5C7D05F600000000');]
>> Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
>> [3] Failed Query Body [INSERT INTO opt
>> (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) VALUES
>> (5,259,0,6,2,2,'05B4');]
>> Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
>> [2] Failed Query Body [INSERT INTO tcphdr (sid, cid, tcp_sport,
>> tcp_dport, tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win,
>> tcp_csum, tcp_urp) VALUES
>> (5,259,59772,22,1147913595,0,10,0,2,5840,57224,0);]
>> Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
>> [1] Failed Query Body [INSERT INTO event (sid,cid,signature,timestamp)
>> VALUES (5, 259, 74262, '2015-03-06 03:50:49');]
>> Mar 6 03:50:54barnyard2[153]: WARNING database: [Database()] Failed
>> transaction with current query transaction
>> 
>> ------------------------------------------------------------------------------
>> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
>> by Intel and developed in partnership with Slashdot Media, is your hub for all
>> things parallel software development, from weekly thought leadership blogs to
>> news, videos, case studies, tutorials and more. Take a look and join the
>> conversation now. http://goparallel.sourceforge.net/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> 
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the 
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!



More information about the Snort-users mailing list