Re: barnyard regular restart required

["Matthew Babcock" <MBabcock () AandRTech com>]

Looks like the MySQL connection time out to me..

Can Barnyard be run in batch mode against a .pcap? I would be willing to
bet that your problem would not manifest when run in batch mode (since it
would process the whole file at once as opposed to waiting for subsequent
packets)

Unless I am mistaken, you can prove this by starting tcpdump on whatever
interface snort listens on, and restart snort and barnyard.

When you see the problem happen again, kill snort, barnyard and tcpdump
then make barnyard process the pcap file you just made.

If the problem is not related to the MySQL connection timing out, the
problem should persist. If batch processing that pcap with barnyard works
flawlessly. Let everyone on the list know you have confirmed the problem
with the MySQL connection timing out. ;) GL.

---------
snort logging the mysql connection timed out...
: database: mysql_error: MySQL server has gone away SQL=INSERT INTO event
(sid,cid,signature,timestamp) VALUES...
------------


Regards,
-- Matthew R. Babcock
CEO, Principal Consultant
A & R Technology Consulting - Providing solutions, not limitations -
MBabcock () AandRTech com

> On Mon, 2009-03-09 at 13:50 +0000, Paul Schmehl wrote:
> > --On Monday, March 09, 2009 03:48:31 -0500 Ian Masters <ian () acces co jp>
> > wrote:
> >
> > > Thanks for the ideas. It's given me a bit more to think about. I'm
> > > surprised that it's not happening to other users too.
> >
> > What makes you think it isn't?  Some of us are watching the thread
> > wondering if
> > someone has an answer.
>
> Ian,
>
> Check your logs for messages like these:
>
> Mar 10 12:14:30 getafix barnyard[5010]: FATAL ERROR: Expected Confirm
> 222668 and got: Failed to insert 222668: mysqlexec: handle already
> closed (dangling pointer)
>
> This is what kills my BY all the time - just today, as you can see....
>
> I haven't been able to find an answer for it.
>
> CP
> ------------------------------------------------------------------------------
> Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
> powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
> easily build your RIAs with Flex Builder, the Eclipse(TM)based development
> software that enables intelligent coding and step-through debugging.
> Download the free 60 day trial.
> http://p.sf.net/sfu/www-adobe-com_______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users