Snort mailing list archives

Re: Snort and Barnyard - why do our logs stop

From: "Champ Clark III [Softwink]" <champ () softwink com>
Date: Mon, 24 Jan 2011 13:32:57 -0500

On Mon, Jan 24, 2011 at 11:54:56AM -0600, Atkins, Dwane P wrote:

01/24-11:57:37.207454  [**] [1:1394:12] SHELLCODE x86 inc ecx NOOP [**] [Classification: Executable Code was 
Detected] [Priority: 1] {UDP} 129.111.107.10:5247 -> 129.111.94.116:12929
database: mysql_error: Duplicate entry '1-15358037' for key 'PRIMARY'
SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES (1, 15358037, 4, '2011-01-24 11:57:37')

What does this mean?  Why am I getting duplicate entries and how do I discover where the mysql error is?

        
        It means that Snort (or Barnyard?) is trying to "insert" an 
event for a ID (cid) that's already taken.   This ID is unique to each
event.  It's trying to INSERT into the database with an ID that's
already used. 

        When Snort or Barnyard "startup",  they read the last cid 
used from the 'sensor' database (last_cid).   This lets Snort/Barnyard
"know" where to start with a unique ID.   When Barnyard/Snort exit 
'cleanly' (ie - not a crash),  they update the value in the 'sensor'
table 'last_cid'.  However, if Snort/Barnyard crash,  it doesn't have a
chance to update this,  and the old/stale value is left in the
'last_cid'.  Then next time Snort/Barnyard 'starts up',  it reads this
stale value and attempts to add records with a duplicate ID.  

        The fix?  Increment the last_cid to the next _unused_ value.  
If you use BASE,  I believe in the 'maintenance' section,  you can 
'rebuild' the tables and it'll take care of this for you.  Otherwise, 
do it manually. 

        Oh,  and figure out why Snort/Barnyard crashed in the first
        place.



-- 
        Champ Clark III | Softwink, Inc | 800-538-9357 x 101
                     http://www.softwink.com

GPG Key ID: 58A2A58F
Key fingerprint = 7734 2A1C 007D 581E BDF7  6AD5 0F1F 655F 58A2 A58F
If it wasn't for C, we'd be using BASI, PASAL and OBOL.

Attachment: _bin
Description:

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort and Barnyard - why do our logs stop Atkins, Dwane P (Jan 24)
- Re: Snort and Barnyard - why do our logs stop Atkins, Dwane P (Jan 24)
  - Re: Snort and Barnyard - why do our logs stop Champ Clark III [Softwink] (Jan 24)
    - nuking snort Don Florence (Jan 27)
    - Re: nuking snort Joel Esler (Jan 28)
  - Re: Snort and Barnyard - why do our logs stop Gibson, Nathan J. (HSC) (Jan 24)
    - Re: Snort and Barnyard - why do our logs stop beenph (Jan 25)
    - Re: Snort and Barnyard - why do our logs stop Atkins, Dwane P (Jan 25)
    - Re: Snort and Barnyard - why do our logs stop beenph (Jan 25)
    - Re: Snort and Barnyard - why do our logs stop Champ Clark III [Softwink] (Jan 25)
    - Re: Snort and Barnyard - why do our logs stop beenph (Jan 25)