Re: Snort, barnyard2, snorby issue

["Joel Esler (jesler)" <jesler () cisco com>]

have you guys submitted these changes upstream to barnyard2?


> On Mar 6, 2015, at 11:39 AM, Juan Jesus Prieto <jjprieto () redborder org> wrote:
>
> Hi Florian,
>
>   This is an common issue with barnyard2. Sometimes, it fails with 
> database transaction and, when you reach tha maximun number of fails, 
> the barnyard2 process exit. You will need to debug the database side in 
> order to determine wich transaction is failling and why.
>
>   The problem with barnyard2 database output pluging is that it is very 
> weak (latencies, busy database server, etc, may be part of the problem). 
> We have solved it creating a new output plugin that use apache kafka, 
> capable of sending thousands of alerts per second. You can download the 
> project from the clon at github:
>
> https://github.com/redBorder/barnyard2
>
>   Regards.
>
>
> El 06/03/15 a las 10:51, Florian Knorn escribió:
> > Hi,
> >
> > I believe there was a post about this same issue before
> > (http://seclists.org/snort/2014/q4/40).
> >
> > Sporadically, barnyard2 crashes after some failed DB transaction. Most
> > of the time it works fine, sometimes some transactions fail (but don’t
> > crash barnyard), but sometimes they do.
> >
> > Snort/barnyard2 are running from the latest pfSense package. I’ve
> > installed snorby following the relevant parts from this guide:
> > http://virtuallyhyper.com/2014/04/snort-debian/. So barnyard is
> > writing to the database as prepared / created by snorby.
> >
> > Thanks for any pointers!
> >
> > Here’s an example of one that didn’t crash barnyard:
> >
> > Mar 6 02:54:50barnyard2[153]: WARNING database [Database()]: End of
> > failed transaction block
> > ,Mar 6 02:54:50barnyard2[153]: WARNING database: Failed Query Position
> > [3] Failed Query Body [INSERT INTO iphdr (sid, cid, ip_src, ip_dst,
> > ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl,
> > ip_proto, ip_csum) VALUES
> > (5,253,<not-telling><not-telling>,4,5,0,40,42410,0,0,127,6,57460);]
> > Mar 6 02:54:50barnyard2[153]: WARNING database: Failed Query Position
> > [2] Failed Query Body [INSERT INTO tcphdr (sid, cid, tcp_sport,
> > tcp_dport, tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win,
> > tcp_csum, tcp_urp) VALUES
> > (5,253,4904,80,2911421922,1430277470,5,0,16,65417,4376,0);]
> > Mar 6 02:54:50barnyard2[153]: WARNING database: Failed Query Position
> > [1] Failed Query Body [INSERT INTO event (sid,cid,signature,timestamp)
> > VALUES (5, 253, 58713, '2015-03-06 02:54:44');]
> > Mar 6 02:54:50barnyard2[153]: WARNING database: [Database()] Failed
> > transaction with current query transaction
> > Mar 6 02:54:50barnyard2[153]: [Database()]: Insertion of Query [INSERT
> > INTO event (sid,cid,signature,timestamp) VALUES (5, 253, 58713,
> > '2015-03-06 02:54:44');] failed
> >
> > Here’s an example of one that CRASHES barnyard:
> >
> > Mar 6 03:50:54barnyard2[153]: Barnyard2 exiting
> > Mar 6 03:50:54barnyard2[153]: FATAL ERROR: database Unable to rollback
> > transaction in [Database()]
> > Mar 6 03:50:54barnyard2[153]: [RollbackTransaction(): Call failed, we
> > reached the maximum number of transaction error [10]
> > Mar 6 03:50:54barnyard2[153]: WARNING database [Database()]: End of
> > failed transaction block
> > Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
> > [6] Failed Query Body [INSERT INTO iphdr (sid, cid, ip_src, ip_dst,
> > ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl,
> > ip_proto, ip_csum) VALUES
> > (5,259,<not-telling>,<not-telling>,4,5,0,60,49293,0,0,63,6,32628);]
> > Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
> > [5] Failed Query Body [INSERT INTO opt
> > (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) VALUES
> > (5,259,4,6,3,1,'07');]
> > Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
> > [4] Failed Query Body [INSERT INTO opt
> > (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) VALUES
> > (5,259,2,6,8,8,'5C7D05F600000000');]
> > Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
> > [3] Failed Query Body [INSERT INTO opt
> > (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) VALUES
> > (5,259,0,6,2,2,'05B4');]
> > Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
> > [2] Failed Query Body [INSERT INTO tcphdr (sid, cid, tcp_sport,
> > tcp_dport, tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win,
> > tcp_csum, tcp_urp) VALUES
> > (5,259,59772,22,1147913595,0,10,0,2,5840,57224,0);]
> > Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
> > [1] Failed Query Body [INSERT INTO event (sid,cid,signature,timestamp)
> > VALUES (5, 259, 74262, '2015-03-06 03:50:49');]
> > Mar 6 03:50:54barnyard2[153]: WARNING database: [Database()] Failed
> > transaction with current query transaction
> >
> > ------------------------------------------------------------------------------
> > Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> > by Intel and developed in partnership with Slashdot Media, is your hub for all
> > things parallel software development, from weekly thought leadership blogs to
> > news, videos, case studies, tutorials and more. Take a look and join the
> > conversation now. http://goparallel.sourceforge.net/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the 
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!