Snort mailing list archives

Snort, barnyard2, snorby issue

From: Florian Knorn <florian () knorn org>
Date: Fri, 6 Mar 2015 10:51:27 +0100
Hi,

I believe there was a post about this same issue before
(http://seclists.org/snort/2014/q4/40).

Sporadically, barnyard2 crashes after some failed DB transaction. Most
of the time it works fine, sometimes some transactions fail (but don’t
crash barnyard), but sometimes they do.

Snort/barnyard2 are running from the latest pfSense package. I’ve
installed snorby following the relevant parts from this guide:
http://virtuallyhyper.com/2014/04/snort-debian/. So barnyard is
writing to the database as prepared / created by snorby.

Thanks for any pointers!

Here’s an example of one that didn’t crash barnyard:

Mar 6 02:54:50barnyard2[153]: WARNING database [Database()]: End of
failed transaction block
,Mar 6 02:54:50barnyard2[153]: WARNING database: Failed Query Position
[3] Failed Query Body [INSERT INTO iphdr (sid, cid, ip_src, ip_dst,
ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl,
ip_proto, ip_csum) VALUES
(5,253,<not-telling><not-telling>,4,5,0,40,42410,0,0,127,6,57460);]
Mar 6 02:54:50barnyard2[153]: WARNING database: Failed Query Position
[2] Failed Query Body [INSERT INTO tcphdr (sid, cid, tcp_sport,
tcp_dport, tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win,
tcp_csum, tcp_urp) VALUES
(5,253,4904,80,2911421922,1430277470,5,0,16,65417,4376,0);]
Mar 6 02:54:50barnyard2[153]: WARNING database: Failed Query Position
[1] Failed Query Body [INSERT INTO event (sid,cid,signature,timestamp)
VALUES (5, 253, 58713, '2015-03-06 02:54:44');]
Mar 6 02:54:50barnyard2[153]: WARNING database: [Database()] Failed
transaction with current query transaction
Mar 6 02:54:50barnyard2[153]: [Database()]: Insertion of Query [INSERT
INTO event (sid,cid,signature,timestamp) VALUES (5, 253, 58713,
'2015-03-06 02:54:44');] failed

Here’s an example of one that CRASHES barnyard:

Mar 6 03:50:54barnyard2[153]: Barnyard2 exiting
Mar 6 03:50:54barnyard2[153]: FATAL ERROR: database Unable to rollback
transaction in [Database()]
Mar 6 03:50:54barnyard2[153]: [RollbackTransaction(): Call failed, we
reached the maximum number of transaction error [10]
Mar 6 03:50:54barnyard2[153]: WARNING database [Database()]: End of
failed transaction block
Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
[6] Failed Query Body [INSERT INTO iphdr (sid, cid, ip_src, ip_dst,
ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl,
ip_proto, ip_csum) VALUES
(5,259,<not-telling>,<not-telling>,4,5,0,60,49293,0,0,63,6,32628);]
Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
[5] Failed Query Body [INSERT INTO opt
(sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) VALUES
(5,259,4,6,3,1,'07');]
Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
[4] Failed Query Body [INSERT INTO opt
(sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) VALUES
(5,259,2,6,8,8,'5C7D05F600000000');]
Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
[3] Failed Query Body [INSERT INTO opt
(sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) VALUES
(5,259,0,6,2,2,'05B4');]
Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
[2] Failed Query Body [INSERT INTO tcphdr (sid, cid, tcp_sport,
tcp_dport, tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win,
tcp_csum, tcp_urp) VALUES
(5,259,59772,22,1147913595,0,10,0,2,5840,57224,0);]
Mar 6 03:50:54barnyard2[153]: WARNING database: Failed Query Position
[1] Failed Query Body [INSERT INTO event (sid,cid,signature,timestamp)
VALUES (5, 259, 74262, '2015-03-06 03:50:49');]
Mar 6 03:50:54barnyard2[153]: WARNING database: [Database()] Failed
transaction with current query transaction

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:

Snort, barnyard2, snorby issue Florian Knorn (Mar 06)
- Re: Snort, barnyard2, snorby issue Ward Sladek (Mar 06)
- Re: Snort, barnyard2, snorby issue Juan Jesus Prieto (Mar 06)
  - Re: Snort, barnyard2, snorby issue Joel Esler (jesler) (Mar 06)
    - Re: Snort, barnyard2, snorby issue Eugenio Perez (Mar 06)