Snort mailing list archives
Re: Barnyard2 process stops when [gid :124] [sid: 1] [upd_rev: 1] fires
From: beenph <beenph () gmail com>
Date: Thu, 31 Jul 2014 20:41:33 -0400
Whats the result of the commands i provided? Also as long as you insert with different sensor name / interface combinaison there is no issue having multiple by2 process inserting in the same database. On Thu, Jul 31, 2014 at 7:47 AM, Avery Rozar <Avery.Rozar () i-techsupport com> wrote:
I did upgrade from 2.1.9, but at that time it was not writing to a db, it was writing to a file and shipping the alerts to an indexer instead. The db stuff is new. I do have 4 instances of snort/barnyard combo on this box writing to the same db, could this be an issue? The reason for this is provide 4 ³zones² for the IPS. I¹m referring to a ³zone² as an inline interface pair(dna0:dna1,dna2:dna3 and so on). If this is not the ideal way to accomplish this, what would be the best way? Thanks for your help! On 7/30/14, 7:32 PM, "beenph" <beenph () gmail com> wrote:Did you upgrade from 2-1.9 or 2-1.10-12 ? If so you might want to delete all preprocessor in the signature table where sig_class is 0 OR sig_priority is 0; 1. DELETE FROM signature sig_gid > 1 AND (sig_class_id = 0 or sig_priority = 0) Or run the update manually 2. UPDATE signature WHERE sig_id=166 SET sig_class_id=12,sig_priority=1; Before choosing any option do this (to see the state of the table); SELECT sig_gid,sig_sid,sig_name FROM signature WHERE sig_class = 0 OR sig_priority = 0 AND sig_gid > 1 And then you could run this to see how many event would be affected by the delete. SELECT a.sid,a.cid,a.count(*) FROM event AS a,(SELECT sig_id,sig_gid,sig_sid FROM signature WHERE sig_class = 0 OR sig_priority = 0 AND sig_gid > 1) AS b WHERE a.sid = b.sid GROUP by a.sid,a.cid; On Wed, Jul 30, 2014 at 7:54 AM, Avery Rozar <Avery.Rozar () i-techsupport com> wrote:SELECT * FROM signature WHERE sig_gid = 124 and sig_sid=1; sig_id | sig_name | sig_class_id | sig_priority | sig_rev | sig_sid | sig_gid 166 | smtp: Attempted command buffer overflow | 0 | 0 | 1 | 1 | 124 (1 row) On 7/29/14, 7:13 PM, "beenph" <beenph () gmail com> wrote:SELECT * FROM signature WHERE sig_gid = 124 and sig_sid=1; On Tue, Jul 29, 2014 at 7:41 AM, Avery Rozar <Avery.Rozar () i-techsupport com> wrote:VERSION INFO CentOS 6.5 PostgreSQL 8.4.20 Barnyard2 2.1.13 (Build 327) Snort 2.9.5.6 GRE (Build 208) ERROR MESSAGE ERROR database: database: postgresql_error: ERROR: permission denied for relation signature#012 ERROR database: calling Insert() in [dbSignatureInformationUpdate()] [dbProcessSignatureInformation()] Line[1556], call to dbSignatureInformationUpdate failed for : #012[gid :124] [sid: 1] [upd_rev: 1] [upd class: 12] [upd pri 1] FATAL ERROR: [dbProcessSignatureInformation()]: Failed, stoping processing During the middle of operation if the smtp pre-proccesor fires Barnyard2 dies with this error. And if I restart the process it gives the same error and stops. If I restart snort, remove the waldo file and then start Barntard2 it works fine until this pre-proccesor fires again. Has anyone seen this before? Thanks, Avery ----------------------------------------------------------------------- -- ----- Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.c lk trk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Barnyard2 process stops when [gid :124] [sid: 1] [upd_rev: 1] fires Avery Rozar (Jul 29)
- Re: Barnyard2 process stops when [gid :124] [sid: 1] [upd_rev: 1] fires beenph (Jul 29)
- Re: Barnyard2 process stops when [gid :124] [sid: 1] [upd_rev: 1] fires Avery Rozar (Jul 30)
- Re: Barnyard2 process stops when [gid :124] [sid: 1] [upd_rev: 1] fires beenph (Jul 30)
- Re: Barnyard2 process stops when [gid :124] [sid: 1] [upd_rev: 1] fires Avery Rozar (Jul 31)
- Re: Barnyard2 process stops when [gid :124] [sid: 1] [upd_rev: 1] fires beenph (Jul 31)
- Re: Barnyard2 process stops when [gid :124] [sid: 1] [upd_rev: 1] fires Avery Rozar (Jul 30)
- Re: Barnyard2 process stops when [gid :124] [sid: 1] [upd_rev: 1] fires beenph (Jul 29)