Snort mailing list archives
Re: Barnyard2 issue w/unified2 ?
From: Jeff Kell <jeff-kell () utc edu>
Date: Thu, 15 Aug 2013 13:00:16 -0400
On 8/15/2013 11:52 AM, John Ives wrote:
Jeff, My understanding from my own research is that for each instance of snort on a system there needs to be an instance of barnyard2 each with its own configuration file. Supposedly, that is all that is needed. However, I have not been able to make it work as all but one of the barnyards will eventually crash. Unfortunately, I have not had enough time look for a fix, since moving to fewer systems running pf_ring instead of a cluster of systems is a roadmap project. I will, however be watching this thread with interest.
We run two sensors, each with 4 instances of snort and 4 instances of barnyard2, with unique configurations for each. Each sensor has it's own ID: < Sensor > < Name > 23 snort-campus-1:p1p1:p1p1 24 snort-campus-3:p1p1:p1p1 25 snort-campus-2:p1p1:p1p1 26 snort-campus-4:p1p1:p1p1 27 snort-dorms-1:p1p1:p1p1 28 snort-dorms-2:p1p1:p1p1 29 snort-dorms-3:p1p1:p1p1 30 snort-dorms-4:p1p1:p1p1 The "issue" generally appears at startup (and beenph indicated sig_reference is populated at startup), with a duplicate row in sig_reference. All instances crash with the same error. For example:
[jeff@snort-campus ~]$ sudo grep barn /var/log/messages|grep Duplicate Aug 13 09:59:08 snort-campus barnyard2[29867]: FATAL ERROR: database mysql_error: Duplicate entry '167807-1' for key 'PRIMARY'#012#011SQL=[INSERT INTO sig_reference (ref_id,sig_id,ref_seq) VALUES ('154939','167807','1');] Aug 13 09:59:36 snort-campus barnyard2[29874]: FATAL ERROR: database mysql_error: Duplicate entry '167807-1' for key 'PRIMARY'#012#011SQL=[INSERT INTO sig_reference (ref_id,sig_id,ref_seq) VALUES ('154939','167807','1');] Aug 13 09:59:42 snort-campus barnyard2[29878]: FATAL ERROR: database mysql_error: Duplicate entry '167807-1' for key 'PRIMARY'#012#011SQL=[INSERT INTO sig_reference (ref_id,sig_id,ref_seq) VALUES ('154939','167807','1');] Aug 13 09:59:43 snort-campus barnyard2[29882]: FATAL ERROR: database mysql_error: Duplicate entry '167807-1' for key 'PRIMARY'#012#011SQL=[INSERT INTO sig_reference (ref_id,sig_id,ref_seq) VALUES ('154939','167807','1');]
[jeff@snort-dorms ~]$ sudo grep barn /var/log/messages|grep Duplicate Aug 14 18:41:34 snort-dorms barnyard2[31989]: FATAL ERROR: database mysql_error: Duplicate entry '167807-1' for key 'PRIMARY'#012#011SQL=[INSERT INTO sig_reference (ref_id,sig_id,ref_seq) VALUES ('132475','167807','1');] Aug 14 18:41:49 snort-dorms barnyard2[31993]: FATAL ERROR: database mysql_error: Duplicate entry '167807-1' for key 'PRIMARY'#012#011SQL=[INSERT INTO sig_reference (ref_id,sig_id,ref_seq) VALUES ('132475','167807','1');] Aug 14 18:42:26 snort-dorms barnyard2[31998]: FATAL ERROR: database mysql_error: Duplicate entry '167807-1' for key 'PRIMARY'#012#011SQL=[INSERT INTO sig_reference (ref_id,sig_id,ref_seq) VALUES ('132475','167807','1');] Aug 14 18:42:40 snort-dorms barnyard2[32002]: FATAL ERROR: database mysql_error: Duplicate entry '167807-1' for key 'PRIMARY'#012#011SQL=[INSERT INTO sig_reference (ref_id,sig_id,ref_seq) VALUES ('132475','167807','1');]
These errors have persisted even after a "delete from sig_reference;" on the database, both before and after the InnoDB conversion. I'm a bit loathe to recreate the database (loss of current events) but if beenph insists that's the only sure fix, I may have to bite the bullet. Jeff
------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Barnyard2 issue w/unified2 ?, (continued)
- Re: Barnyard2 issue w/unified2 ? Weir, Jason (Aug 13)
- Re: Barnyard2 issue w/unified2 ? waldo kitty (Aug 13)
- Re: Barnyard2 issue w/unified2 ? Jeff Kell (Aug 13)
- Re: Barnyard2 issue w/unified2 ? John Ives (Aug 15)
- Re: Barnyard2 issue w/unified2 ? beenph (Aug 15)
- Re: Barnyard2 issue w/unified2 ? John Ives (Aug 15)
- Re: Barnyard2 issue w/unified2 ? waldo kitty (Aug 15)
- Re: Barnyard2 issue w/unified2 ? John Ives (Aug 15)
- Re: Barnyard2 issue w/unified2 ? waldo kitty (Aug 15)
- Re: Barnyard2 issue w/unified2 ? beenph (Aug 16)
- Re: Barnyard2 issue w/unified2 ? Weir, Jason (Aug 13)
- Re: Barnyard2 issue w/unified2 ? Jeff Kell (Aug 15)
- Re: Barnyard2 issue w/unified2 ? beenph (Aug 16)