Re: Barnyard2 issue w/unified2 ?

["Weir, Jason" <jason.weir () nhrs org>]

I've experienced this issue when I mistakenly start a second barnyard process without killing the original first.

Make sure you only have 1 barnyard process running on each box

Jason

________________________________
From: Jen Andre <jandre () gmail com>
To: Jeff Kell <jeff-kell () utc edu>
Cc: barnyard2-users () googlegroups com <barnyard2-users () googlegroups com>; snort-users () lists sourceforge net 
Users <snort-users () lists sourceforge net>
Sent: Tue Aug 13 18:26:59 2013
Subject: Re: [Snort-users] Barnyard2 issue w/unified2 ?

This is clearly a concurrency issue. You have multiple snort sensors distributed across boxes, each with their own 
barnyard processes -- encountering the same signature and inserting into sig_reference with the same ref_seq/sig_id 
combo.   It will not be fixed with a different database engine.

The barnyard code would need to be altered such that

a) ignore on duplicate errors (not portable, see a mysql example here:  
https://github.com/threatstack/pigsty-mysql/blob/master/lib/pigsty-mysql/signatures.js#L170-L171)

or

b) retry on duplicate errors for certain tables and not crash - basically, on failure, check the db to see if a valid 
value exists (because another process somewhere has inserted it) and continue




On Tue, Aug 13, 2013 at 2:32 PM, Jeff Kell <jeff-kell () utc edu<mailto:jeff-kell () utc edu>> wrote:
On 8/9/2013 10:53 PM, beenph wrote:
> I would highly suggest you that you
> re-create a new DB with InnoDB and restart your barnyard2 sensor.

Worked until today...

> Aug 13 09:59:42 snort-campus barnyard2[29878]:
> ===============================================================================
> Aug 13 09:59:43 snort-campus barnyard2[29882]: FATAL ERROR: database
> mysql_error: Duplicate entry '167807-1' for key
> 'PRIMARY'#012#011SQL=[INSERT INTO sig_reference
> (ref_id,sig_id,ref_seq) VALUES ('154939','167807','1');]
> Aug 13 09:59:43 snort-campus barnyard2[29882]: Barnyard2 exiting
> Aug 13 09:59:43 snort-campus barnyard2[29882]: database: Closing
> connection to database "snort"

+------------------+--------+
| table_name       | engine |
+------------------+--------+
      ...
| event            | InnoDB |
| icmphdr          | InnoDB |
| iphdr            | InnoDB |
| opt              | InnoDB |
| reference        | InnoDB |
| reference_system | InnoDB |

Jeff


------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!