Re: Help w/ barnyard2 issues

[John Ives <jives () security berkeley edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 5/20/14, 11:41 AM, Moore, Jim wrote:
> I have 2 issues w/ barnyard2 2.1.13 running on a Fedora 19 box.
> The box has 3 sensor interfaces w/ 3 snort instances and 3
> barnyard2 instances. Each of the barnyard2 instances is writing
> output to a fast alert file and a remote Postgresql database.  The
> first problem occurs during barnyard2 startup.  When the instance
> initializes the database connection it encounters a fatal error
> like so:
>
> ERROR database: Query [SELECT sig_id FROM signature WHERE (sig_sid
> = '17688') AND (sig_gid  = '1') AND (sig_rev  = '9') AND
> (sig_class_id = '9') AND (sig_priority = '1') AND (sig_name =
> 'BROWSER-IE Microsoft Internet Explorer userdata behavior memory
> corruption attempt'); ] returned more than one result
>
> So far, the only fix I have been able to come up w/ is to
> hand-remove the existing row from the signature table and restart 1
> barnyard2 instance.  The 2nd instance encounters the same error, so
> I repeat the process for all 3 instances.

I have encountered this same issue though not necessarily with this
same rule. Of course the reason that I have to restart the instance of
barnyard in the first place is that it crashed, probably as a result
of this sort of error.

For commonalities I am also logging to postgresql however I am doing
it from a FreeBSD box.

John

- -- 
- -------------------------------------------------------------------------
John Ives
Information Security & Policy                       Phone (510) 229-8676
University of California, Berkeley
- -------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCgAGBQJTe6SkAAoJEJkidK6qbywsJOIH/2zb871CJvto2Olc31hSCsNS
80aLKIdzOLNKBPPSLpaD3GAwmKthKzEX6vvap0alM9422/XH/8gXXCGBscM0BB8B
PJBpuZG0uYRiau1hTs7VaUzmae7UkAgknhTwWA1e/nZ5UhDb8PlJ2SHqvObpDmMK
XCCXV6R99dh1DnYeI1y2Y5IMddTGR5GYaVV1yLmahI97igSU8EfUG+UvU9y/jutx
M6n/8G46rLn1/3/Vakjf2RhhI/5qa1MAhE9O9Mp+zxrgMwJ6tVZbXqrsEHqQpXXH
mWkPVKrE2OyTvDP/kEw+8rsO9PTMo0+URjF+0f8iObV0czIsMBR3BDKnXbvc+gU=
=xMLz
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!