Fixed - Barnyard2 Activating / Deactivating on some interfaces with Snort/Snorby
-
EDIT: Think i have resolved this by ticking - "Disable synchronization of sig_reference table in schema." Under LAN and DMZ in MySQL Database Output Settings under the Baynard2 Tab. See Bill's post here -> https://forum.pfsense.org/index.php?action=post;quote=429437;topic=75357.0;last_msg=503134
Hi,
I have 3 interfaces in PfSense being monitored by Snort/Snorby with only one of them, the WAN interface, set to block. The other two interfaces, LAN and DMZ, are monitored only.I can turn on Barnyard2 and correctly receive updates in Snorby via the WAN interface by using the mysql details on the Snorby server that i set up to match the Barnyard2 settings in PfSense.
However, if i use the same credentials i use on the WAN interface on the LAN and DMZ interface in Snort within Barnyard2 i see the green arrow to indicate Barnyard2 is working and LAN and DMZ interfaces appear in Snorby, but no alerts.
Then, after 3 minutes, in the Snort Interfaces tab in PfSense Barnyard2 switches back to a red x to indicate it is not running on LAN and DMZ but it still shows enabled. WAN stays working throughout.
Am i missing something here? Can i not use the same database or credentials etc? Any pointers would be appreciated.
Log file:-
Nov 4 15:28:33 barnyard2[35146]: database: Closing connection to database "xxxxx"
Nov 4 15:28:33 barnyard2[35146]: Barnyard2 exiting
Nov 4 15:28:33 barnyard2[35146]: FATAL ERROR: database mysql_error: Duplicate entry '26786-2' for key 'PRIMARY' SQL=[INSERT INTO sig_reference (ref_id,sig_id,ref_seq) VALUES ('20971','26786','2');] -
It will stay fixed for a while, but my guess is you will randomly find Barnyard2 stopped again with a DB error. That was the problem that finally drove me to disable it on my home firewall. There is also an issue of it maxing out the CPU for almost 30 minutes after each rule package update as it churns away updating some DB tables. This weird behavior all seemed to have started with the 2.1.3 Barnyard2 update quite a while back.
I have not given up on Barnyard2 forever, but in the short term I decided to invest my time in some other things and pull BY2 off my firewall.
Bill
-
Hi Bill,
I know this is an old thread..but this still seems to exist. Running a Netgate RCC-VE-2440 with 4 snort and barnyard2 instances with 3 running in lowmem and one in ac-bnfa. This is the cpu on the once daily rule update/reload for the last month via snmp if you are interested although I see you have uninstalled it from your firewall at this point. It ramps the cpu for at least 30 minutes like you have seen in the past. This is running 2.2.6 and Snort 2.8.7.6 pkg 3.2.9.1 btw…FYI and sorry for dredging up an old thread.
-
Yep, that big spike in CPU consumption is exactly what I saw on my home firewall. Something is weird inside Barnyard2 in my opinion, but like I said, I have not delved into the code to see if I can find out what it is.
Bill