snort 3.2.9.11 barnyard 2 - hog cpu when database down
-
Hello,
i notice something different with the last version of snort and barnyard .
with the previous version , as soon the database come offline , barnyard service of the interface stop.With the last version, i have shutdown the database but the service of the interface remain started and cpu is at high usage. i had to manually stop the service...
i haven't dig further ... maybe a bug ?
-
Not really a bug as much as Barnyard2 is essentially completely unsupported now by a maintainer in FreeBSD ports. There have been no updates to the Barnyard2 binary source code in years. The MySQL and other database connectivity parts of Barnyard2 are woefully outdated now. The MySQL database connector it is using is many versions old and has a number of unpatched (and won't be patched) vulnerabilities. But Barnyard2 code would need updating to use the newer MySQL DB client. Without a FreeBSD ports maintainer, that is not happening.
I've been encouraging users to find another solution and abandon Barnyard2. At some point soon I will have to pull it from the Snort package due to the non-support in FreeBSD ports.
The upstream Suricata team is already removing the unified2 binary logging format that Barnyard2 needs from Suricata. So the Barnyard2 support in Suricata will be removed later this year.
-
Yes i know, but i was so happy to see barnyard2 working with the database (it has problem with schema and it was too hard for me to fix, but an ipk update solve that recently in the last pfsense ;) .. so i can enjoy stats for snort in "snorby" (another end of life product...).
I look for other program to replace but they need a large amount of ram ... telegraf to elastic search / grafana / kibana ... i must use another computer just for that (maybe a raspberry i don't know ... something with few energy consomption).
so im stuck with my olds monitoring tools for now ;) until you remove barnyard from pfsense.
anyways thanks for your answer bmeeks ! have nice day !