Re: Barnyard2 reports database insert errors

[Dave Corsello <snort-users () wintertreemedia com>]

On 11/2/2013 1:16 PM, beenph wrote:
> Timestamp is not necessarly important (while yes it can allow you to 
> correlate) You can have more than on event with the same timestamp, 
> thus its not a definitive identifiant, especialy at the schema level. 
> And cid is incremented everytime an event is logged.
> > By elimination, I think the possibilities are that either: 1) MySQL is
> > intermittently not sending back a status; 2) barnyard2 is intermittently not
> > processing the MySQL status that it receives; or 3) sometimes the status
> > message gets lost between the MySQL box and the Snort box.  Number 3 might
> > be supported by the fact that the NIC on my MySQL box shows in the
> > neighborhood of 500 RX-ERR packets for every 3 million RX-OK packets daily.
> > My Snort box shows consistently 0 RX-ERR and 0 TX-ERR.  But it would seem to
> > me that RX-ERRs on the MySQL box would more likely result in botched
> > inserts, not in status messages failing to transmit, right?  Unless the
> > packets that are failing are ones that would indicate where MySQL should
> > send a status message...  I wonder if this would cause MySQL to throw errors
> > that appear in a log...  Nope, the MySQL error logs are empty.  Again, the
> > RX-ERRs could be related to something peculiar within the overall
> > environment.  I'll look into that when I have time.
> I do not even understand that you mean by "status" at the mysql level.

MySQL returns info on the success or failure of a query, right? That's 
what I mean by "status".

> What i think is that you could have had a network outtage link betwen
> the by2 vm and the mysql vm
> and that as soon as the connection was brought back up, operation
> resumed to normal but you got
> the error message logged.

I see, so you think the inserts initially fail, but barnyard2 tries 
again, and then they succeed.

> Anyhow if i look at the original err message you posted there was
> probably more data thant just this
> <SNIP>
> Nov 1 10:25:14 snort2 barnyard2[XXXXX]: [Database()]: Insertion of Query
> [INSERT INTO event (sid,cid,signature,timestamp) VALUES (X, XXXXXX,
> XXXXXX, '2013-11-01 10:25:09');] failed
> </SNIP>
>
> You probably got the full stack of the event logged to syslog like it
> should be outputting.

Yes, I posted only the first query failure.


------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!