Re: Snort, barnyard2, snorby issue

["Matheus Condi'ez" <conma293 () gmail com>]

Joey,

you get this fixed??

I run into this issue on one of my sensors also... tell me is this your
only snort instance going to the snorbydb?? and also did you ever 'delete
the sensor' from within the snorby GUI ?

On Fri, Oct 3, 2014 at 9:27 PM, Joey Moe <jmoe () penguingeek net> wrote:

>  This is my first time posting in the community, and I have googled
> extensively and read through tons of forums entries where I've seen others
> posting about this same issue, but haven't found the solution yet.
>
> PROBLEM: snort runs fine. I can watch output in verbose mode and and if I
> run `watch ls -lah /logs/dir` (where /logs/dir in my log directory), I can
> see both snort.u2.XXXXXXXXXX file and barnyard2.waldo being populated.
>
> but running barnyard2 i receive the following constant errors:
>
> *[Database()]: Insertion of Query [INSERT INTO event
> (sid,cid,signature,timestamp) VALUES (1, 121, 2, '2014-10-01 01:53:15');]
> failed*
> *WARNING database: [Database()] Failed transaction with current query
> transaction *
> * WARNING database: Failed Query Position [1] Failed Query Body [INSERT
> INTO event (sid,cid,signature,timestamp) VALUES (1, 121, 2, '2014-10-01
> 01:53:15');] *
> *WARNING database: Failed Query Position [2] Failed Query Body [INSERT
> INTO udphdr (sid, cid, udp_sport, udp_dport, udp_len, udp_csum) VALUES (1,
> 121, 53, 11403, 207, 16168);] *
> *WARNING database: Failed Query Position [3] Failed Query Body [INSERT
> INTO iphdr (sid, cid, ip_src, ip_dst, ip_ver, ip_hlen, ip_tos, ip_len,
> ip_id, ip_flags, ip_off,ip_ttl, ip_proto, ip_csum) VALUES
> (1,121,3455829973,3232236175 <3232236175>,4,5,32,227,0,0,0,55,17,59873);] *
> *WARNING database: Failed Query Position [4] Failed Query Body [INSERT
> INTO data (sid,cid,data_payload) VALUES
> (1,121,'79B684000001000100040001037777770B746872656174737461636B03636F6D0000010001C00C000100010000012C000442E42EA3C010000200010002A3000017076E732D3130333509617773646E732D3031036F726700C010000200010002A3000014076E732D3133373209617773646E732D3433C053C010000200010002A3000019076E732D3230303509617773646E732D353802636F02756B00C010000200010002A3000013066E732D33373609617773646E732D3437C01C0000291000000000000000');]
> *
> *WARNING database [Database()]: End of failed transaction block *
>
> This continues until finally barnyard2 dies with the following error:
>
> *[RollbackTransaction(): Call failed, we reached the maximum number of
> transaction error [10] *
> *ERROR: database Unable to rollback transaction in [Database()]*
> *Fatal Error, Quitting..*
> *Barnyard2 exiting*
> *[RollbackTransaction(): Call failed, we reached the maximum number of
> transaction error [10] *
> *database: Closing connection to database "snorby"*
>
> I'm using the standard mysql configuration and verified that all database
> tables are innodb, and that the permissions on the database are set
> correctly. I've dropped the database several times as well as the
> barnyard2.waldo file, yet every time it's the same thing. This is the last
> issue I need to resolve and my snort infrastructure will be stable, but as
> it stands right now I feel like I am looking for "a superball in my gas
> tank".
>
> Any help would be greatly appreciated.
>
> --Joey
>
>
> ------------------------------------------------------------------------------
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!