Re: Snort and Barnyard - why do our logs stop

[beenph <beenph () gmail com>]

Legacy symptoms related to schema, soon enough they should change......

Leaning toward using DBMS wrapper function to handle that.
In the best of worlds, barnyard shouldn't be aware of internal
database requirement, it should log and it should work.

I am sure you are not the first one to have run into those issues Dwane.
And especially when your new to those things and trying to figure out
some inner mechanics.

But some insight provided by the previous poster about the last_cid in
the sensor table not being right could be
one of the problems.

to find out whats your current max cid do a SELECT MAX(cid) FROM EVENT
WHERE num_child= (id of your sensor_id).

Then you should update the value so its greater than the query
returned value and you should be fine as of the insertion problems.

You could also change your num_child.

Hopefully this will help you Dwane.


On Tue, Jan 25, 2011 at 9:21 AM, Champ Clark III [Softwink]
<champ () softwink com> wrote:
> On Tue, Jan 25, 2011 at 08:08:23AM -0600, Atkins, Dwane P wrote:
> > So delete the .waldo and then just do a touch and recreate it?
>
>        Barnyard2 waldo files are different than the older Barnyard
> file.  So the previous poster is right,  don't try to edit it.
>
>        You can give this a try,  but you're likely going to get the
> same error IMHO.  I could be wrong.  Barnyard2 will read in the
> last_cid,   which is invalid,  and produce the same error.   Until
> the sensor tables 'last_cid' is set correctly,  you're going to get
> duplicate INSERT errors.   At least I'm pretty sure,  YMMV.
> > -----Original Message-----
> > From: beenph [mailto:beenph () gmail com]
> > Sent: Tuesday, January 25, 2011 7:58 AM
> > To: Gibson, Nathan J. (HSC)
> > Cc: Atkins, Dwane P; snort-users () lists sourceforge net"
> > Subject: Re: [Snort-users] Snort and Barnyard - why do our logs stop
> >
> > You should never manually edit the waldo file for any reason.
> > The best way to handle a waldo file is to delete it and create it empty (by2).
> >
> >
> >
> > On Mon, Jan 24, 2011 at 4:44 PM, Gibson, Nathan J. (HSC)
> > <Nathan-Gibson () ouhsc edu> wrote:
> > > Delete your current snort.log files. Restart snort only for about 5 minutes.
> > >
> > >
> > >
> > > Edit your waldo file and put the name for the new snort.log in there
> > > starting at row 1 and then restart barnyard.
> > >
> > >
> > >
> > > Looks like it trying to process and snort.log it has already processed.
> > > Basically trying to stick the same event back into the database it already
> > > stuck in there.
> > >
> > >
> > >
> > > If that doesn't work, I usually just backup and purge my database and it
> > > starts up just fine.
> > >
> > >
> > >
> > > From: Atkins, Dwane P [mailto:ATKINSD () uthscsa edu]
> > > Sent: Monday, January 24, 2011 11:55 AM
> > > To: Atkins, Dwane P; 'snort-users () lists sourceforge net"'
> > > Subject: Re: [Snort-users] Snort and Barnyard - why do our logs stop
> > >
> > >
> > >
> > > 01/24-11:57:37.207454? [**] [1:1394:12] SHELLCODE x86 inc ecx NOOP [**]
> > > [Classification: Executable Code was Detected] [Priority: 1] {UDP}
> > > 129.111.107.10:5247 -> 129.111.94.116:12929
> > >
> > > database: mysql_error: Duplicate entry '1-15358037' for key 'PRIMARY'
> > >
> > > SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES (1, 15358037, 4,
> > > '2011-01-24 11:57:37')
> > >
> > >
> > >
> > > What does this mean?? Why am I getting duplicate entries and how do I
> > > discover where the mysql error is?
> > >
> > >
> > >
> > > Dwane
> > >
> > >
> > >
> > > From: Atkins, Dwane P [mailto:ATKINSD () uthscsa edu]
> > > Sent: Monday, January 24, 2011 11:40 AM
> > > To: 'snort-users () lists sourceforge net"'
> > > Subject: [Snort-users] Snort and Barnyard - why do our logs stop
> > >
> > >
> > >
> > > In a normal week, we get maybe two weeks of logs prior to the logging
> > > stops.? And when I do a ps -ef | grep snort, snort has stopped. Barnyard2 is
> > > still is the processes but snort has stopped.
> > >
> > >
> > >
> > > Where can I go to investigate this?? Is there a log file somewhere that will
> > > report why the process has stopped? I am stumped.? Why does something work
> > > good for two days and then stop? Is it? a resource issue?? If I need to
> > > extend it, I can, but what do I extend to the LVM group?
> > >
> > > Thank you all for your help.? This is starting to get rather frustrating.
> > >
> > >
> > >
> > > Dwane
> > >
> > > ------------------------------------------------------------------------------
> > > Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> > > Finally, a world-class log management solution at an even better price-free!
> > > Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> > > February 28th, so secure your free ArcSight Logger TODAY!
> > > http://p.sf.net/sfu/arcsight-sfd2d
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > ------------------------------------------------------------------------------
> > Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> > Finally, a world-class log management solution at an even better price-free!
> > Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> > February 28th, so secure your free ArcSight Logger TODAY!
> > http://p.sf.net/sfu/arcsight-sfd2d
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
>        Champ Clark III | Softwink, Inc | 800-538-9357 x 101
>                     http://www.softwink.com
>
> GPG Key ID: 58A2A58F
> Key fingerprint = 7734 2A1C 007D 581E BDF7  6AD5 0F1F 655F 58A2 A58F
> If it wasn't for C, we'd be using BASI, PASAL and OBOL.
>
> ------------------------------------------------------------------------------
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> February 28th, so secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsight-sfd2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users