Barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0]



  • Hi there,

    I'm trying to get barnyard2 to output snort data to a database.

    All seems to be set up correctly, no error messages on startup, database connection works, etc.

    Except for any alert triggered, nothing gets written to the DB. Here's an excerpt from the logs:

    Feb 13 14:08:59 gw16-a1 snort[99539]: [120:8:2] (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE [Classification: Unknown Traffic] [Priority: 3] {TCP} 10.254.9.16:36423 -> 190.93.245.58:80
    Feb 13 14:08:59 gw16-a1 snort[99539]: [120:8:2] (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE [Classification: Unknown Traffic] [Priority: 3] {TCP} 10.254.9.16:36423 -> 190.93.245.58:80
    Feb 13 14:09:00 gw16-a1 barnyard2[439]: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x4406c00], information has not been outputed.
    Feb 13 14:09:00 gw16-a1 barnyard2[439]: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x4406c00], information has not been outputed.
    

    The centre bit (Called with Event[0x0] Event Type [​0]) pops up a few times online, but none of the suggested fixes (e.g. this one) did the trick.

    Any ideas?


    My install: Latest PFsense release and snort package from the GUI package manager.

    pfSense 2.2-RELEASE-pfSense (amd64)
    Snort Version 2.9.7.0 GRE (Build 149) FreeBSD
    Barnyard Version 2.1.13 (Build 327) IPv6

    
    ## General Barnyard2 settings ##
    config quiet
    config daemon
    config decode_data_link
    config alert_with_interface_name
    config event_cache_size:    8192
    config show_year
    config archivedir:          /var/log/snort/snort_bce036821/barnyard2/archive
    config reference_file:	    /usr/pbi/snort-amd64/etc/snort/snort_36821_bce0/reference.config
    config classification_file: /usr/pbi/snort-amd64/etc/snort/snort_36821_bce0/classification.config
    config sid_file:	    /usr/pbi/snort-amd64/etc/snort/snort_36821_bce0/sid-msg.map
    config gen_file:            /usr/pbi/snort-amd64/etc/snort/snort_36821_bce0/gen-msg.map
    config hostname:            the.host.name
    config interface:           bce0
    config waldo_file:          /var/log/snort/snort_bce036821/barnyard2/36821_bce0.waldo
    config logdir:              /var/log/snort/snort_bce036821
    
    input unified2
    
    ## Setup output plugins ##
    # database: log to a MySQL DB
    output database: log, mysql, user=root password=bla dbname=blub host=192.168.10.200
    
    
    ...
    # Snort Output Logs #
    output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority
    output alert_syslog: LOG_AUTH LOG_ALERT
    output unified2: filename snort_36821_bce0.u2, limit 16M, appid_event_types
    ...
    


  • Ok, phew, found the culprit.

    It seems that the issue arises only when I have Application ID Detection enabled (in the snort device's pre-processor tab). If I disable it, then the warnings go away and the events are correctly logged to the DB.

    And indeed, this post confirms this.

    Now, it would still be great to use the pre-processor and resulting app-stats. Is there a way of using it, but without setting the appid_event_types option on the output unified2 statement?

    Thanks for any comments / insights!



  • @floz:

    Ok, phew, found the culprit.

    It seems that the issue arises only when I have Application ID Detection enabled (in the snort device's pre-processor tab). If I disable it, then the warnings go away and the events are correctly logged to the DB.

    And indeed, this post confirms this.

    Now, it would still be great to use the pre-processor and resulting app-stats. Is there a way of using it, but without setting the appid_event_types option on the output unified2 statement?

    Thanks for any comments / insights!

    I don't believe so.  The APP ID preprocessor apparently is logging events to the Unified2 file whenever APP ID is enabled.  Barnyard2 looks to be choking on those events.  This is an upstream problem for the Barnyard2 and Snort folks to sort out.

    Bill