Snort & Barnyard2 Logging to mySQL - Bug in config file when name contains space
-
Think I have spotted a bug in Barnyard2 in Snort Plugin:
Current environment:
psfense 2.1.5-RELEASE(i386)
snort 2.9.6.2 pkg v3.1.2Using Barnyard2 to write from snort on pfsense to remote mySQL database for Snorby monitoring (on SecurityOnion distro). The environment has been working fine however a recent change (adding an additional Snort interface to be logged to snorby) triggered some errors (known issues with duplicates in sig_reference table) which I investigated and I believe I have uncovered a bug.
Bug: Barnyard2 Sensor Name written to config file as unquoted string when sensor name (General Barnyard2 Settings under Interface barnyard2 tab) contains a space.
Effects:
1: Barnyard2 logs using only first word in sensor name
2: 'Disable synchronization of sig_reference table in schema' is ignored (causing BY2 process to fail due to signature references being written)See attachment for Screenshot of Barnyard2 pfSense settings & Snorby.
This is relevant section of barnyard2.conf for the interface:
## Setup output plugins ## # database: log to a MySQL DB output database: log, mysql, user=pfsense password=******** dbname=snorby host=192.168.1.2 sensor_name=pfSense WAN disable_signature_reference_table
This is output in pfSense system log:
Sep 5 12:09:06 pfSense barnyard2[22675]: Barnyard2 exiting Sep 5 12:09:06 pfSense barnyard2[22675]: FATAL ERROR: database mysql_error: Duplicate entry '9268-1' for key 'PRIMARY' SQL=[INSERT INTO sig_reference (ref_id,sig_id,ref_seq) VALUES ('43479','9268','1');] Sep 5 12:06:43 pfSense barnyard2[22675]: Writing PID "22675" to file "/var/run/barnyard2_em0_vlan66634295.pid" Sep 5 12:06:43 pfSense barnyard2[22675]: PID path stat checked out ok, PID path set to /var/run Sep 5 12:06:43 pfSense barnyard2[22675]: Daemon initialized, signaled parent pid: 22348
I think either the sensor name should be written to the barnyard2.conf file as a quoted string (if allowed?) or the input of a sensor name should be validated to not allow spaces. On changing the sensor name to be a single word the logging to Snorby had the correct sensor name and the duplicate sig_reference option were honored.
If this is posted in the incorrect place please let me know and I will post correctly as required for a bug report.
Thanks everyone for their work on this project and plugins.
James
-
Usage of spaces in *nix is bad idea. I would prefer to use them because they clean looking but they can cause so many problems in the unix and linux OSs… I recommend that you use a underscore instead of a space ex: pfSense_WAN
I've used them in my setup and haven't had any issues.
-
I will look into putting a quoted string in the Barnyard2 config file, but as Cino noted, spaces in UNIX land are many times a problem waiting to happen. I need to test whether Barnyard2 likes quotes or not in its config file. Hopefully it does not care.
Thanks for the bug report. The amount of detail you provided makes it easy to find and fix.
Bill
-
No problem at all Bill. Thanks for all the work.
Normally I'd not use spaces for exactly this sort of reason but for some reason my thumbs took over on this one and typed a space - The thumbs have been duly admonished, put back in their box and I am now using a sensor name without a space and typing with only eight fingers. But as it got me scratching my head I thought I'd report it as a bug in case another person also has rogue thumbs or it crops up in some other manner.
Cheers
James
-
@Grandmaster:
No problem at all Bill. Thanks for all the work.
Normally I'd not use spaces for exactly this sort of reason but for some reason my thumbs took over on this one and typed a space - The thumbs have been duly admonished, put back in their box and I am now using a sensor name without a space and typing with only eight fingers. But as it got me scratching my head I thought I'd report it as a bug in case another person also has rogue thumbs or it crops up in some other manner.
Cheers
James
I just tested and Barnyard2 itself won't honor any spaces in the config file (even when the string containing them is quoted). So I added validation logic to the SAVE code that checks for spaces in the Sensor Name and throws a validation error if any are found. I was able to sneak this fix into the current Suricata update that is under review by the pfSense developer team. I will also add it to the next Snort update.
Again, thank you for the report.
Bill