Snort mailing list archives
Re: barnyard regular restart required
From: "Matthew Babcock" <MBabcock () AandRTech com>
Date: Mon, 9 Mar 2009 10:20:15 -0400 (EDT)
I am willing to bet it is. The Snort >> MySQL connection time out was a big road block for me. It would manifest as Snort running, and not getting events added to MySQL (and still showing via 'lsof- i' that Snort was connected to MySQL. There are two easy ways to prove this. 1 - Temporaly stop using Barnyard, and make Snort log to MySQL directly. Make sure you have Snort enabled to log to MySQL (in debian the the package name is snort-mysql, run sudo aptitude show snort, if there is an 'i' in-front of snort-mysql you already have it installed; otherwise you can install it, use aptitude tho..) Let it run for a while and look for those snort messages I mentioned "database has gone away" If you get them and I suspect you will you know what the problems it. If you compiled from source that changes things a bit. 2 - Even easier, enable the icmp-info.rules and use a system on your LAN to continuously ping something on the internet. Make sure you get the ICMP ECHO/PING alerts and see if it stops working again. I made a signature that turned Nagios Traffic into an heartbeat/alert, avoiding the problem. for reference... --------- sudo aptitude show snort-mysql |grep ersion && sudo aptitude show mysql-server-5.0 |grep ersion Version: 2.7.0-20.3 Version: 5.0.51a-24 ----------- Regards, -- Matthew R. Babcock CEO, Principal Consultant A & R Technology Consulting - Providing solutions, not limitations - MBabcock () AandRTech com
--On Monday, March 09, 2009 03:48:31 -0500 Ian Masters <ian () acces co jp> wrote:Thanks again for the reply.Again I do not use Barnyard, but any chance you are using outputting from Barnyard to MySQL (did not catch it the first time but you must be if you are using base...)? More specifically MySQL Server 5, there is an issue where the connection to MySQL times out, and MySQL does nothing about it.I am indeed outputting from Barnyard to MySQL and my MySQL version is indeed 5 (Sorry I didn't include this information to begin with)With Snort logging straight to MySQL this manifests as Snort log messages like "snort[10778]: database: mysql_error: MySQL server has gone away " Not sure if Barnyard will log anything in this senario...I haven't come across anything useful like that yet.I *believe* that if you run lsof -i it will still show that snort (barnyard in your case) is still connected to MySQL (even tho the connection is dead)lsof -i shows: mysqld 4637 mysql 10u IPv4 8513 TCP *:mysql (LISTEN) The machine is a test machine which gets very few alerts. Thanks for the ideas. It's given me a bit more to think about. I'm surprised that it's not happening to other users too.What makes you think it isn't? Some of us are watching the thread wondering if someone has an answer. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* Check the headers before clicking on Reply. ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- barnyard regular restart required Ian Masters (Mar 08)
- Message not available
- Re: barnyard regular restart required Ian Masters (Mar 08)
- Message not available
- Re: barnyard regular restart required Ian Masters (Mar 09)
- Re: barnyard regular restart required Joel Esler (Mar 09)
- Re: barnyard regular restart required Paul Schmehl (Mar 09)
- Re: barnyard regular restart required Joel Esler (Mar 09)
- Re: barnyard regular restart required Ian Masters (Mar 08)
- Re: barnyard regular restart required Paul Schmehl (Mar 09)
- Re: barnyard regular restart required Joel Esler (Mar 09)
- Re: barnyard regular restart required Matthew Babcock (Mar 09)
- Re: barnyard regular restart required CunningPike (Mar 10)
- Re: barnyard regular restart required Matthew Babcock (Mar 10)
- Re: barnyard regular restart required Ian Masters (Mar 11)
- Message not available
- Re: barnyard regular restart required Ian Masters (Mar 11)
- Re: barnyard regular restart required Paul Schmehl (Mar 11)
- Re: barnyard regular restart required Ian Masters (Mar 11)
- Re: barnyard regular restart required Paul Schmehl (Mar 11)
- Re: barnyard regular restart required Joel Esler (Mar 12)