Snort mailing list archives

Re: barnyard regular restart required

From: "Matthew Babcock" <MBabcock () AandRTech com>
Date: Mon, 9 Mar 2009 10:20:15 -0400 (EDT)


I am willing to bet it is. The Snort >> MySQL connection time out was a
big road block for me. It would manifest as Snort running, and not getting
events added to MySQL (and still showing via 'lsof- i' that Snort was
connected to MySQL.

There are two easy ways to prove this.

1 - Temporaly stop using Barnyard, and make Snort log to MySQL directly.
Make sure you have Snort enabled to log to MySQL (in debian the the
package name is snort-mysql, run sudo aptitude show snort, if there is an
'i' in-front of snort-mysql you already have it installed; otherwise you
can install it, use aptitude tho..) Let it run for a while and look for
those snort messages I mentioned "database has gone away" If you get them
and I suspect you will you know what the problems it.

If you compiled from source that changes things a bit.

2 - Even easier, enable the icmp-info.rules and use a system on your LAN
to continuously ping something on the internet. Make sure you get the ICMP
ECHO/PING alerts and see if it stops working again.

I made a signature that turned Nagios Traffic into an heartbeat/alert,
avoiding the problem.

for reference...
---------
sudo aptitude show snort-mysql |grep ersion && sudo aptitude show
mysql-server-5.0 |grep ersion
Version: 2.7.0-20.3
Version: 5.0.51a-24
-----------


Regards,
-- Matthew R. Babcock
CEO, Principal Consultant
A & R Technology Consulting - Providing solutions, not limitations -
MBabcock () AandRTech com

--On Monday, March 09, 2009 03:48:31 -0500 Ian Masters <ian () acces co jp>
wrote:


Thanks again for the reply.

Again I do not use Barnyard, but any chance you are using outputting
from
Barnyard to MySQL (did not catch it the first time but you must be if
you
are using base...)? More specifically MySQL Server 5, there is an issue
where the connection to MySQL times out, and MySQL does nothing about
it.


I am indeed outputting from Barnyard to MySQL and my MySQL version is
indeed 5 (Sorry I didn't include this information to begin with)

With Snort logging straight to MySQL this manifests as Snort log
messages
like "snort[10778]: database: mysql_error: MySQL server has gone away "

Not sure if Barnyard will log anything in this senario...


I haven't come across anything useful like that yet.

I *believe* that if you run lsof -i it will still show that snort
(barnyard in your case) is still connected to MySQL (even tho the
connection is dead)


lsof -i shows:
mysqld     4637   mysql   10u  IPv4    8513       TCP *:mysql (LISTEN)

The machine is a test machine which gets very few alerts.

Thanks for the ideas. It's given me a bit more to think about. I'm
surprised that it's not happening to other users too.


What makes you think it isn't?  Some of us are watching the thread
wondering if
someone has an answer.

--
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
Check the headers before clicking on Reply.


------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco,
CA
-OSBC tackles the biggest issue in open source: Open Sourcing the
Enterprise
-Strategies to boost innovation and cut costs with open source
participation
-Receive a $600 discount off the registration fee with the source code:
SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

barnyard regular restart required Ian Masters (Mar 08)
- Message not available
  - Re: barnyard regular restart required Ian Masters (Mar 08)
    - Message not available
    - Re: barnyard regular restart required Ian Masters (Mar 09)
    - Re: barnyard regular restart required Joel Esler (Mar 09)
    - Re: barnyard regular restart required Paul Schmehl (Mar 09)
    - Re: barnyard regular restart required Joel Esler (Mar 09)
    - Re: barnyard regular restart required Paul Schmehl (Mar 09)
    - Re: barnyard regular restart required Joel Esler (Mar 09)
    - Re: barnyard regular restart required Matthew Babcock (Mar 09)
    - Re: barnyard regular restart required CunningPike (Mar 10)
    - Re: barnyard regular restart required Matthew Babcock (Mar 10)
    - Re: barnyard regular restart required Ian Masters (Mar 11)
    - Re: barnyard regular restart required Ian Masters (Mar 11)
    - Re: barnyard regular restart required Paul Schmehl (Mar 11)
- Re: barnyard regular restart required Bamm Visscher (Mar 09)
  - Re: barnyard regular restart required Ian Masters (Mar 11)
    - Re: barnyard regular restart required Paul Schmehl (Mar 11)
    - Re: barnyard regular restart required Joel Esler (Mar 12)