Snort mailing list archives
Re: mysql_error: Duplicate entry 1-2 for key PRIMARY table event
From: beenph <beenph () gmail com>
Date: Sat, 24 May 2014 13:32:32 -0400
It can also happen when people have upgraded from <2-1.13 and have not read the release notes that ask to delete the sig_reference table before upgrading. https://groups.google.com/forum/#!topic/barnyard2-users/IIoyClc7XTc <SNIP> UPGRADE REQUIREMENTS If you are upgrading to barnyard2 2-1.13 (build 327) or above from a previous version and using output database. You will need to delete every row in your sig_reference table. (DELETE FROM sig_reference;) The table will be re-populated at startup, and has no impact on historical data. </SNIP> On Wed, May 14, 2014 at 12:50 PM, Jeremy Hoel <jthoel () gmail com> wrote:
This is a BY2 error (as you stated) and not a snort error, it would be best to post it to the BY2 mailing list. https://groups.google.com/forum/#!forum/barnyard2-users And in reference to this problem, it's something that happens with BY2 when two tasks update the table at basically the same time. There are fixes involving editing the database table. https://groups.google.com/forum/#!searchin/barnyard2-users/%22database$20mysql_error$3A$20Duplicate$20entry%22$20primary On Wed, May 14, 2014 at 9:34 AM, c0re <nr1c0re () gmail com> wrote:Hello snort users! I'm trying to setup barnyard2 and keep failing with it. When I start barnyard2: /usr/local/barnyard2-1.13/bin/barnyard2 -c /usr/local/barnyard2-1.13/etc/barnyard2.conf -d /var/log/snort -w /var/log/barnyard2/snort_dmz2.log.waldo -vvv -f snort_dmz2.log It starts good. But when I start snort, barnyard2 see new unifeid2 logs and tryed to insert in database and gives Fatal error: Opened spool file '/var/log/snort/snort_dmz2.log.1399902485' 05/12-17:48:05.783972 [**] [124:1:1] <dmz2> smtp: Attempted command buffer overflow [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 1.1.1.1:28882 -> 2.2.2.2:25 05/12-17:48:05.815952 [**] [124:1:1] <dmz2> smtp: Attempted command buffer overflow [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 1.1.1.1:28882 -> 2.2.2.2:25 ERROR: database mysql_error: Duplicate entry '1-2' for key 'PRIMARY' SQL=[INSERT INTO event (sid,cid,signature,timestamp) VALUES (1, 2, 253, '2014-05-12 17:48:05');] Fatal Error, Quitting.. Barnyard2 exiting I have fresh install of snort, pulledpork and barnyard2. OS FreeBSD 8.3-RELEASE-p8 snort-2.9.6.0_1 pulledpork-0.7.0 barnyard2-1.13 built with --enable-debug, latest bug-fix from git because I had ERROR 0x0 and 0x7 in 1.13 version. I've got only one snort instance and fresh database for barnyard2. Tables in DB are InnoDB type. barnyard2 config: cool-ids# egrep -v '^$|^#' /usr/local/barnyard2-1.13/etc/barnyard2.conf config reference_file: /usr/local/etc/snort/reference.config config classification_file: /usr/local/etc/snort/classification.config config gen_file: /usr/local/etc/snort/gen-msg.map config sid_file: /usr/local/etc/snort/sid-msg.map config hostname: cool-ids config interface: dmz2 config alert_with_interface_name config process_new_records_only input unified2 output alert_fast: stdout output database: alert, mysql, user=snort password=mypw dbname=snort host=5.5.5.5 output database: log, mysql, user=snort password=mypw dbname=snort host=5.5.5.5 Full log of barnyard2: cool-ids# /usr/local/barnyard2-1.13/bin/barnyard2 -c /usr/local/barnyard2-1.13/etc/barnyard2.conf -d /var/log/snort -w /var/log/barnyard2/snort_dmz2.log.waldo -vvv -f snort_dmz2.log Running in Continuous mode --== Initializing Barnyard2 ==-- Initializing Input Plugins! Initializing Output Plugins! DEBUG => [Alert_FWsam](AlertFWsamSetup) Output plugin is plugged in... Parsing config file "/usr/local/barnyard2-1.13/etc/barnyard2.conf" +[ Signature Suppress list ]+ ---------------------------- +[No entry in Signature Suppress List]+ ---------------------------- +[ Signature Suppress list ]+ Barnyard2 spooler: Event cache size set to [2048] Log directory = /var/log/barnyard2 INFO database: Defaulting Reconnect/Transaction Error limit to 10 INFO database: Defaulting Reconnect sleep time to 5 second INFO database: Defaulting Reconnect/Transaction Error limit to 10 INFO database: Defaulting Reconnect sleep time to 5 second Node unique name is: cool-ids:dmz2 [ClassificationPullDataStore()]: No Classification found in database ... [SignaturePullDataStore()]: No signature found in database ... [SystemPullDataStore()]: No System found in database ... [ReferencePullDataStore()]: No Reference found in database ... [SignatureReferencePullDataStore()]: No Reference found in database ... database: compiled support for (mysql) database: configured to use mysql database: schema version = 107 database: host = 5.5.5.5 database: user = snort database: database name = snort database: sensor name = cool-ids:dmz2 database: sensor id = 1 database: sensor cid = 1 database: data encoding = hex database: detail level = full database: ignore_bpf = no database: using the "alert" facility Node unique name is: cool-ids:dmz2 database: compiled support for (mysql) database: configured to use mysql database: schema version = 107 database: host = 5.5.5.5 database: user = snort database: database name = snort database: sensor name = cool-ids:dmz2 database: sensor id = 1 database: sensor cid = 2 database: data encoding = hex database: detail level = full database: ignore_bpf = no database: using the "log" facility ------------------------------------------------- Keyword | Input @ ------------------------------------------------- unified2 : init() = 0x445970 unified2 : - readRecordHeader() = 0x4459f0 unified2 : - readRecord() = 0x445bd0 ------------------------------------------------- ------------------------------------------------- Keyword | Output @ ------------------------------------------------- alert_cef : 0x429d90 alert_syslog : 0x430210 log_tcpdump : 0x432da0 database : 0x439f70 alert_fast : 0x42bb00 alert_full : 0x42c720 alert_fwsam : 0x42cf30 alert_unixsock: 0x431770 alert_csv : 0x42a7e0 log_null : 0x432ca0 log_ascii : 0x432030 alert_test : 0x430fd0 sguil : 0x433b30 alert_syslog_full: 0x434d60 log_syslog_full: 0x434d40 ------------------------------------------------- --== Initialization Complete ==-- ______ -*> Barnyard2 <*- / ,,_ \ Version 2.1.13 (Build 333) DEBUG |o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/ + '''' + (C) Copyright 2008-2013 Ian Firns <firnsy () securixlive com> WARNING: Ignoring corrupt/truncated waldofile '/var/log/barnyard2/snort_dmz2.log.waldo' Waiting for new spool file Opened spool file '/var/log/snort/snort_dmz2.log.1399902485' 05/12-17:48:05.783972 [**] [124:1:1] <dmz2> smtp: Attempted command buffer overflow [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 1.1.1.1:28882 -> 2.2.2.2:25 05/12-17:48:05.815952 [**] [124:1:1] <dmz2> smtp: Attempted command buffer overflow [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 1.1.1.1:28882 -> 2.2.2.2:25 ERROR: database mysql_error: Duplicate entry '1-2' for key 'PRIMARY' SQL=[INSERT INTO event (sid,cid,signature,timestamp) VALUES (1, 2, 253, '2014-05-12 17:48:05');] Fatal Error, Quitting.. Barnyard2 exiting database: Closing connection to database "snort" database: Closing connection to database "snort" =============================================================================== Record Totals: Records: 3 Events: 1 (33.333%) Packets: 2 (66.667%) Unknown: 0 (0.000%) Suppressed: 0 (0.000%) =============================================================================== Packet breakdown by protocol (includes rebuilt packets): ETH: 2 (100.000%) ETHdisc: 0 (0.000%) VLAN: 0 (0.000%) IPV6: 0 (0.000%) IP6 EXT: 0 (0.000%) IP6opts: 0 (0.000%) IP6disc: 0 (0.000%) IP4: 2 (100.000%) IP4disc: 0 (0.000%) TCP 6: 0 (0.000%) UDP 6: 0 (0.000%) ICMP6: 0 (0.000%) ICMP-IP: 0 (0.000%) TCP: 2 (100.000%) UDP: 0 (0.000%) ICMP: 0 (0.000%) TCPdisc: 0 (0.000%) UDPdisc: 0 (0.000%) ICMPdis: 0 (0.000%) FRAG: 0 (0.000%) FRAG 6: 0 (0.000%) ARP: 0 (0.000%) EAPOL: 0 (0.000%) ETHLOOP: 0 (0.000%) IPX: 0 (0.000%) IPv4/IPv4: 0 (0.000%) IPv4/IPv6: 0 (0.000%) IPv6/IPv4: 0 (0.000%) IPv6/IPv6: 0 (0.000%) GRE: 0 (0.000%) GRE ETH: 0 (0.000%) GRE VLAN: 0 (0.000%) GRE IPv4: 0 (0.000%) GRE IPv6: 0 (0.000%) GRE IP6 E: 0 (0.000%) GRE PPTP: 0 (0.000%) GRE ARP: 0 (0.000%) GRE IPX: 0 (0.000%) GRE LOOP: 0 (0.000%) MPLS: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) InvChkSum: 0 (0.000%) S5 G 1: 0 (0.000%) S5 G 2: 0 (0.000%) Total: 2 =============================================================================== Closing spool file '/var/log/snort/snort_dmz2.log.1399902485'. Read 3 records cool-ids# What is happening? What can I do with it? It's fresh and empty DB, that populated when barnyard2 starts, but failes in no more than 5 recors with Duplicate entry error. ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- mysql_error: Duplicate entry 1-2 for key PRIMARY table event c0re (May 14)
- Re: mysql_error: Duplicate entry 1-2 for key PRIMARY table event Jeremy Hoel (May 14)
- Re: mysql_error: Duplicate entry 1-2 for key PRIMARY table event beenph (May 24)
- Re: mysql_error: Duplicate entry 1-2 for key PRIMARY table event Jeremy Hoel (May 14)