[Snort-users] Snort, barnyard2, snorby issue

Eugenio Perez eugenio at ...16842...
Fri Mar 6 16:53:59 EST 2015


Hi Joel

Yes we tried, we did a pull request almost two years ago:

https://github.com/firnsy/barnyard2/pull/88
El 06/03/2015 22:30, "Joel Esler (jesler)" <jesler at ...589...> escribió:

> have you guys submitted these changes upstream to barnyard2?
>
>
> > On Mar 6, 2015, at 11:39 AM, Juan Jesus Prieto <jjprieto at ...16842...>
> wrote:
> >
> > Hi Florian,
> >
> >   This is an common issue with barnyard2. Sometimes, it fails with
> > database transaction and, when you reach tha maximun number of fails,
> > the barnyard2 process exit. You will need to debug the database side in
> > order to determine wich transaction is failling and why.
> >
> >   The problem with barnyard2 database output pluging is that it is very
> > weak (latencies, busy database server, etc, may be part of the problem).
> > We have solved it creating a new output plugin that use apache kafka,
> > capable of sending thousands of alerts per second. You can download the
> > project from the clon at github:
> >
> > https://github.com/redBorder/barnyard2
> >
> >   Regards.
> >
> >
> > El 06/03/15 a las 10:51, Florian Knorn escribió:
> >> Hi,
> >>
> >> I believe there was a post about this same issue before
> >> (http://seclists.org/snort/2014/q4/40).
> >>
> >> Sporadically, barnyard2 crashes after some failed DB transaction. Most
> >> of the time it works fine, sometimes some transactions fail (but don’t
> >> crash barnyard), but sometimes they do.
> >>
> >> Snort/barnyard2 are running from the latest pfSense package. I’ve
> >> installed snorby following the relevant parts from this guide:
> >> http://virtuallyhyper.com/2014/04/snort-debian/. So barnyard is
> >> writing to the database as prepared / created by snorby.
> >>
> >> Thanks for any pointers!
> >>
> >> Here’s an example of one that didn’t crash barnyard:
> >>
> >> Mar 6 02:54:50barnyard2[153]: WARNING database [Database()]: End of
> >> failed transaction block
> >> ,Mar 6 02:54:50barnyard2[153]: WARNING database: Failed Query Position
> >> [3] Failed Query Body [INSERT INTO iphdr (sid, cid, ip_src, ip_dst,
> >> ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl,
> >> ip_proto, ip_csum) VALUES
> >> (5,253,<not-telling><not-telling>,4,5,0,40,42410,0,0,127,6,57460);]
> >> Mar 6 02:54:50barnyard2[153]: WARNING database: Failed Query Position
> >> [2] Failed Query Body [INSERT INTO tcphdr (sid, cid, tcp_sport,
> >> tcp_dport, tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win,
> >> tcp_csum, tcp_urp) VALUES
> >> (5,253,4904,80,2911421922,1430277470,5,0,16,65417,4376,0);]
> >> Mar 6 02:54:50barnyard2[153]: WARNING database: Failed Query Position
> >> [1] Failed Query Body [INSERT INTO event (sid,cid,signature,timestamp)
> >> VALUES (5, 253, 58713, '2015-03-06 02:54:44');]
> >> Mar 6 02:54:50barnyard2[153]: WARNING database: [Database()] Failed
> >> transaction with current query transaction
> >> Mar 6 02:54:50barnyard2[153]: [Database()]: Insertion of Query [INSERT
> >> INTO event (sid,cid,signature,timestamp) VALUES (5, 253, 58713,
> >> '2015-03-06 02:54:44');] failed
> >>
> >> Here’s an example of one that CRASHES barnyard:
> >>
> >> Mar 6 03:50:54barnyard2[153]: Barnyard2 exiting
> >> Mar 6 03:50:54barnyard2[153]: FATAL ERROR: database Unable to rollback
> >> transaction in [Database()]
> >> Mar 6 03:50:54barnyard2[153]: [RollbackTransaction(): Call failed, we
> >> reached the maximum number of transaction error [10]
> >> Mar 6 03:50:54barnyard2[153]: WARNING database [Database()]: End of
> >> failed transaction block
> >> Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
> >> [6] Failed Query Body [INSERT INTO iphdr (sid, cid, ip_src, ip_dst,
> >> ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl,
> >> ip_proto, ip_csum) VALUES
> >> (5,259,<not-telling>,<not-telling>,4,5,0,60,49293,0,0,63,6,32628);]
> >> Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
> >> [5] Failed Query Body [INSERT INTO opt
> >> (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) VALUES
> >> (5,259,4,6,3,1,'07');]
> >> Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
> >> [4] Failed Query Body [INSERT INTO opt
> >> (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) VALUES
> >> (5,259,2,6,8,8,'5C7D05F600000000');]
> >> Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
> >> [3] Failed Query Body [INSERT INTO opt
> >> (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) VALUES
> >> (5,259,0,6,2,2,'05B4');]
> >> Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
> >> [2] Failed Query Body [INSERT INTO tcphdr (sid, cid, tcp_sport,
> >> tcp_dport, tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win,
> >> tcp_csum, tcp_urp) VALUES
> >> (5,259,59772,22,1147913595,0,10,0,2,5840,57224,0);]
> >> Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
> >> [1] Failed Query Body [INSERT INTO event (sid,cid,signature,timestamp)
> >> VALUES (5, 259, 74262, '2015-03-06 03:50:49');]
> >> Mar 6 03:50:54barnyard2[153]: WARNING database: [Database()] Failed
> >> transaction with current query transaction
> >>
> >>
> ------------------------------------------------------------------------------
> >> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> >> by Intel and developed in partnership with Slashdot Media, is your hub
> for all
> >> things parallel software development, from weekly thought leadership
> blogs to
> >> news, videos, case studies, tutorials and more. Take a look and join the
> >> conversation now. http://goparallel.sourceforge.net/
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >>
> >> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
> >
> >
> >
> ------------------------------------------------------------------------------
> > Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> > by Intel and developed in partnership with Slashdot Media, is your hub
> for all
> > things parallel software development, from weekly thought leadership
> blogs to
> > news, videos, case studies, tutorials and more. Take a look and join the
> > conversation now. http://goparallel.sourceforge.net/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for
> all
> things parallel software development, from weekly thought leadership blogs
> to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150306/5b7b7d29/attachment.html>


More information about the Snort-users mailing list