Re: Barnyard2 issue w/unified2 ?

[Jen Andre <jandre () gmail com>]

This is clearly a concurrency issue. You have multiple snort sensors
distributed across boxes, each with their own barnyard processes --
encountering the same signature and inserting into sig_reference with the
same ref_seq/sig_id combo.   It will not be fixed with a different database
engine.

The barnyard code would need to be altered such that

a) ignore on duplicate errors (not portable, see a mysql example here:
https://github.com/threatstack/pigsty-mysql/blob/master/lib/pigsty-mysql/signatures.js#L170-L171
)

or

b) retry on duplicate errors for certain tables and not crash - basically,
on failure, check the db to see if a valid value exists (because another
process somewhere has inserted it) and continue




On Tue, Aug 13, 2013 at 2:32 PM, Jeff Kell <jeff-kell () utc edu> wrote:

> On 8/9/2013 10:53 PM, beenph wrote:
> > I would highly suggest you that you
> > re-create a new DB with InnoDB and restart your barnyard2 sensor.
>
> Worked until today...
>
> > Aug 13 09:59:42 snort-campus barnyard2[29878]:
> ===============================================================================
> > Aug 13 09:59:43 snort-campus barnyard2[29882]: FATAL ERROR: database
> > mysql_error: Duplicate entry '167807-1' for key
> > 'PRIMARY'#012#011SQL=[INSERT INTO sig_reference
> > (ref_id,sig_id,ref_seq) VALUES ('154939','167807','1');]
> > Aug 13 09:59:43 snort-campus barnyard2[29882]: Barnyard2 exiting
> > Aug 13 09:59:43 snort-campus barnyard2[29882]: database: Closing
> > connection to database "snort"
>
> +------------------+--------+
> | table_name       | engine |
> +------------------+--------+
>       ...
> | event            | InnoDB |
> | icmphdr          | InnoDB |
> | iphdr            | InnoDB |
> | opt              | InnoDB |
> | reference        | InnoDB |
> | reference_system | InnoDB |
>
> Jeff
>
>
>
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite!
> It's a free troubleshooting tool designed for production.
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!