Barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0]
-
Hi there,
I'm trying to get barnyard2 to output snort data to a database.
All seems to be set up correctly, no error messages on startup, database connection works, etc.
Except for any alert triggered, nothing gets written to the DB. Here's an excerpt from the logs:
Feb 13 14:08:59 gw16-a1 snort[99539]: [120:8:2] (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE [Classification: Unknown Traffic] [Priority: 3] {TCP} 10.254.9.16:36423 -> 190.93.245.58:80 Feb 13 14:08:59 gw16-a1 snort[99539]: [120:8:2] (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE [Classification: Unknown Traffic] [Priority: 3] {TCP} 10.254.9.16:36423 -> 190.93.245.58:80 Feb 13 14:09:00 gw16-a1 barnyard2[439]: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x4406c00], information has not been outputed. Feb 13 14:09:00 gw16-a1 barnyard2[439]: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x4406c00], information has not been outputed.
The centre bit (Called with Event[0x0] Event Type [0]) pops up a few times online, but none of the suggested fixes (e.g. this one) did the trick.
Any ideas?
My install: Latest PFsense release and snort package from the GUI package manager.
pfSense 2.2-RELEASE-pfSense (amd64)
Snort Version 2.9.7.0 GRE (Build 149) FreeBSD
Barnyard Version 2.1.13 (Build 327) IPv6## General Barnyard2 settings ## config quiet config daemon config decode_data_link config alert_with_interface_name config event_cache_size: 8192 config show_year config archivedir: /var/log/snort/snort_bce036821/barnyard2/archive config reference_file: /usr/pbi/snort-amd64/etc/snort/snort_36821_bce0/reference.config config classification_file: /usr/pbi/snort-amd64/etc/snort/snort_36821_bce0/classification.config config sid_file: /usr/pbi/snort-amd64/etc/snort/snort_36821_bce0/sid-msg.map config gen_file: /usr/pbi/snort-amd64/etc/snort/snort_36821_bce0/gen-msg.map config hostname: the.host.name config interface: bce0 config waldo_file: /var/log/snort/snort_bce036821/barnyard2/36821_bce0.waldo config logdir: /var/log/snort/snort_bce036821 input unified2 ## Setup output plugins ## # database: log to a MySQL DB output database: log, mysql, user=root password=bla dbname=blub host=192.168.10.200
... # Snort Output Logs # output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority output alert_syslog: LOG_AUTH LOG_ALERT output unified2: filename snort_36821_bce0.u2, limit 16M, appid_event_types ...
-
Ok, phew, found the culprit.
It seems that the issue arises only when I have Application ID Detection enabled (in the snort device's pre-processor tab). If I disable it, then the warnings go away and the events are correctly logged to the DB.
And indeed, this post confirms this.
Now, it would still be great to use the pre-processor and resulting app-stats. Is there a way of using it, but without setting the appid_event_types option on the output unified2 statement?
Thanks for any comments / insights!
-
Ok, phew, found the culprit.
It seems that the issue arises only when I have Application ID Detection enabled (in the snort device's pre-processor tab). If I disable it, then the warnings go away and the events are correctly logged to the DB.
And indeed, this post confirms this.
Now, it would still be great to use the pre-processor and resulting app-stats. Is there a way of using it, but without setting the appid_event_types option on the output unified2 statement?
Thanks for any comments / insights!
I don't believe so. The APP ID preprocessor apparently is logging events to the Unified2 file whenever APP ID is enabled. Barnyard2 looks to be choking on those events. This is an upstream problem for the Barnyard2 and Snort folks to sort out.
Bill