Re: Barnyard2 process stops when [gid :124] [sid: 1] [upd_rev: 1] fires

[Avery Rozar <Avery.Rozar () i-techsupport com>]

I did upgrade from 2.1.9, but at that time it was not writing to a db, it
was writing to a file and shipping the alerts to an indexer instead. The
db stuff is new. I do have 4 instances of snort/barnyard combo on this box
writing to the same db, could this be an issue? The reason for this is
provide 4 ³zones² for the IPS. I¹m referring to a  ³zone² as an inline
interface pair(dna0:dna1,dna2:dna3 and so on). If this is not the ideal
way to accomplish this, what would be the best way?

Thanks for your help!

On 7/30/14, 7:32 PM, "beenph" <beenph () gmail com> wrote:

> Did you upgrade from 2-1.9 or 2-1.10-12 ?
>
> If so you might want to delete all preprocessor in the signature table
> where sig_class is 0 OR sig_priority is 0;
>
> 1. DELETE FROM signature sig_gid > 1 AND (sig_class_id = 0 or
> sig_priority = 0)
>
> Or
>
> run the update manually
> 2. UPDATE signature WHERE sig_id=166 SET sig_class_id=12,sig_priority=1;
>
>
> Before choosing any option do this (to see the state of the table);
>
> SELECT sig_gid,sig_sid,sig_name FROM signature WHERE sig_class = 0 OR
> sig_priority = 0 AND sig_gid > 1
>
>
> And then you could run this to see how many event would be affected by
> the delete.
>
> SELECT a.sid,a.cid,a.count(*) FROM event AS a,(SELECT
> sig_id,sig_gid,sig_sid FROM signature WHERE sig_class = 0 OR
> sig_priority = 0 AND sig_gid > 1) AS b
> WHERE a.sid = b.sid GROUP by a.sid,a.cid;
>
>
>
>
> On Wed, Jul 30, 2014 at 7:54 AM, Avery Rozar
> <Avery.Rozar () i-techsupport com> wrote:
> > SELECT * FROM signature WHERE sig_gid = 124 and sig_sid=1;
> >
> >  sig_id |                sig_name                 | sig_class_id |
> > sig_priority | sig_rev | sig_sid | sig_gid
> >
> > 166 | smtp: Attempted command buffer overflow |            0 |
> > 0 |       1 |       1 |     124
> > (1 row)
> >
> >
> >
> >
> >
> > On 7/29/14, 7:13 PM, "beenph" <beenph () gmail com> wrote:
> >
> > > SELECT * FROM signature WHERE sig_gid = 124 and sig_sid=1;
> > >
> > >
> > >
> > > On Tue, Jul 29, 2014 at 7:41 AM, Avery Rozar
> > > <Avery.Rozar () i-techsupport com> wrote:
> > > > VERSION INFO
> > > >
> > > > CentOS 6.5
> > > > PostgreSQL 8.4.20
> > > > Barnyard2 2.1.13 (Build 327)
> > > > Snort 2.9.5.6 GRE (Build 208)
> > > >
> > > > ERROR MESSAGE
> > > >
> > > > ERROR database: database: postgresql_error: ERROR:  permission denied
> > > > for relation signature#012
> > > > ERROR database: calling Insert() in [dbSignatureInformationUpdate()]
> > > > [dbProcessSignatureInformation()] Line[1556], call to
> > > > dbSignatureInformationUpdate failed for : #012[gid :124] [sid: 1]
> > > > [upd_rev: 1] [upd class: 12] [upd pri 1]
> > > > FATAL ERROR: [dbProcessSignatureInformation()]: Failed, stoping
> > > > processing
> > > >
> > > > During the middle of operation if the smtp pre-proccesor fires
> > > > Barnyard2 dies with this error. And if I restart the process it gives
> > > > the same error and stops. If I restart snort, remove the waldo file and
> > > > then start Barntard2 it works fine until this pre-proccesor fires
> > > > again.
> > > > Has anyone seen this before?
> > > >
> > > > Thanks,
> > > > Avery
> > > >
> > > >
> > > > -----------------------------------------------------------------------
> > > > --
> > > > -----
> > > > Infragistics Professional
> > > > Build stunning WinForms apps today!
> > > > Reboot your WinForms applications with our WinForms controls.
> > > > Build a bridge from your legacy apps to the future.
> > > >
> > > > http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.c
> > > > lk
> > > > trk
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > > >
> > > > Please visit http://blog.snort.org to stay current on all the latest
> > > > Snort news!


------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!