Barnyard not starting after Snort rules update
-
I am seeing this on my production box. Again today, two of the three Barnyard2 processes were not restarted when I checked. Will dig into it and see if I can find what's up. Hopefully it's something simple.
Bill
-
Hmm, I also get only 1 started and 2 not…
Maybe it just stops after the 1st Barnyard is started? -
Well, no problems with Barnyard2 restarts on all interfaces with the last rule updates. Seems random maybe ???
-
Mine didn't start at all this moring, one interface I can't even start manually…
Maybe it's the Waldo file? If I get it correctly, during the updates Snort/Barnyard stops and afterwards, when Snort/Barnyard starts again anything inside the Waldo file is send to the SQL server.
Also getting this error:
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM icmphdr WHERE sid='11';]I am going to empty all Barnyard tables and see what will happen.
Edit: After rebuilding the SQL tables, the biggest Snort interface won't start Barnyard, same database error as before.
-
The database error is of course a Barnyard2 thing. I think that is not uncommon when it sort of crashes (Barnyard, that is). The version of Barnyard2 was bumped to 2.12 back when the Snort binary was bumped to 2.9.4.1 That was back when the 2.5.4 version of the Snort package was released toward the end of March.
Did your Barnyard2 troubles start just this last week, or have they existed since late March? Trying to see if they are related to the Barnyard2 version bump or to the latest round of GUI changes pushed out on April 9.
Bill
-
In fixing another bug in the Rules Update code Saturday afternoon, I stumbled upon a copy-paste error that might be responsible for the sporadic failures of Barnyard2 to restart following an automatic rules update. The error caused a filename to be written incorrectly. Let's see if this helps the Barnyard2 problem.
To pick up this latest update, go the Installed Packages tab and click either the pkg or xml icon to reinstall the Snort GUI components. The package version number was not incremented this time, so it will still show 2.5.5. But if you reinstall the GUI components, you will pick up the corrected code.
Bill
-
Did a "user" update from Snort 2.9.4.1 pkg v. 2.5.4 to v. 2.5.5, (works perfectly!)
After the package installation updated the rules and started the sensors one by one.One sensor still didn't work, the Barnyard MySQL settings were gone(?!).
Filled them in again and no everything is running again!Don't know why and how the settings were missing, but I do know I never changed them and they worked before, at least until the Snort registered rules updated, after that it stopped somehow.
The settings on the other two interfaces are still there.I will let you know what happens after the automatic update and after some events.
Edit: Of course I also checked if all other settings were still there: Yes they were.
-
All events are now listed twice. Happens to each interface.
Cleared all lists, cleared blocked list, still all events are listed twice. -
All events are now listed twice. Happens to each interface.
Cleared all lists, cleared blocked list, still all events are listed twice.Twice in the System Logs or twice in your MySQL database? If the system logs, that's a normal quirk of pfSense. If your database, then I would surmise you have two separate instances of Barnyard2 reading the same unified2 log file. In other words, that would mean two instances of Barnyard2 going against the same Snort interface. I would shutdown all your Snort interfaces, then do a "pgrep" for any running Barnyard2 processes and kill those. Then start everything up again.
By the way, on the Snort Interfaces tab, there is pretty much never a reason to use the start/stop icon next to Barnyard in the table. Starting and stopping Snort using the icon beside the Snort entry in the table will automatically start/stop Barnyard2 as well (if enabled).
Bill
-
Some events were listed twice in both the System log and the MySQL database, but they are valid. Just ignore my previous message.
Yes, I always use only the Snort Start/Stop button.
FYI: Just updated to 2.0.3 and Snort is also installed flawlessly!Think you solved the Barnyard not starting issue. Thanks for all your effort!
If you ever need help testing something let me know. -
Some events were listed twice in both the System log and the MySQL database, but they are valid. Just ignore my previous message.
Yes, I always use only the Snort Start/Stop button.
FYI: Just updated to 2.0.3 and Snort is also installed flawlessly!Think you solved the Barnyard not starting issue. Thanks for all your effort!
If you ever need help testing something let me know.My Barnyard2 restart problem also seems to be solved. At least the last rules update went off fine. I hope that file copy error I found and fixed over the weekend solved the Barnyard2 problem.
Bill
