Re: Barnyard2 problems with reputation preproc rules

[Dave Corsello <snort-users () wintertreemedia com>]

No, sorry, I forgot to include version info.  I've been on by2 version
2.1.13 build 327 and snort 2.9.5.5 for months.  All snort tables are
InnoDB; all acid tables are MyISAM.  None of this has changed.  The only
thing that's changed that I can see is the number of blacklist IP's, but
that changes almost daily.  i suppose I could try deleting signature
16501, but it's linked to thousands of events.

On 2/1/2014 11:31 PM, beenph wrote:
> On Sat, Feb 1, 2014 at 8:21 PM, Dave Corsello
> <snort-users () wintertreemedia com> wrote:
> > I've been getting barnyard2 errors today.  The first set of errors that
> > I see are:
> Wild guess, you rescently updated to 2-1.13 and your using mysql with
> MyIASM storage?
> -elz
>
> > Feb  1 09:37:46 snort1 barnyard2[23251]: ERROR database: calling Insert() in [dbSignatureInformationUpdate()]
> >
> > Feb  1 09:37:46 snort1 barnyard2[23251]: [dbProcessSignatureInformation()] Line[1556], call to 
> > dbSignatureInformationUpdate failed for : #012[gid :136] [sid: 1] [upd_rev: 1] [upd class: 4] [upd pri 2]
> >
> > Feb  1 09:37:46 snort1 barnyard2[23251]: FATAL ERROR: [dbProcessSignatureInformation()]: Failed, stoping processing
> >
> >
> > Thereafter, I see the following every few minutes:
> >
> > Feb  1 09:43:43 snort1 barnyard2[24461]: ERROR database: Returned signature_id [16501] is not equal to updated 
> > signature_id [16936] in [dbSignatureInformationUpdate()]
> >
> > Feb  1 09:43:43 snort1 barnyard2[24461]: [dbProcessSignatureInformation()] Line[1556], call to 
> > dbSignatureInformationUpdate failed for : #012[gid :136] [sid: 1] [upd_rev: 1] [upd class: 4] [upd pri 2]
> >
> > Feb  1 09:43:43 snort1 barnyard2[24461]: FATAL ERROR: [dbProcessSignatureInformation()]: Failed, stoping processing
> >
> >
> > I tried deleting sig_id 16936 from the signature table, but then I just
> > get an error with a new signature id:
> >
> > Feb  1 20:17:52 snort1 barnyard2[25132]: ERROR database: Returned signature_id [16501] is not equal to updated 
> > signature_id [17372] in [dbSignatureInformationUpdate()]
> >
> >
> > Any ideas how to correct or work around this?
> >
> > Thanks,
> > Dave
> >
> >
> > ------------------------------------------------------------------------------
> > WatchGuard Dimension instantly turns raw network data into actionable
> > security intelligence. It gives you real-time visual feedback on key
> > security issues and trends.  Skip the complicated setup - simply import
> > a virtual appliance and go from zero to informed in seconds.
> > http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!