Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0]

    Scheduled Pinned Locked Moved pfSense Packages
    3 Posts 2 Posters 4.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      floz
      last edited by

      Hi there,

      I'm trying to get barnyard2 to output snort data to a database.

      All seems to be set up correctly, no error messages on startup, database connection works, etc.

      Except for any alert triggered, nothing gets written to the DB. Here's an excerpt from the logs:

      Feb 13 14:08:59 gw16-a1 snort[99539]: [120:8:2] (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE [Classification: Unknown Traffic] [Priority: 3] {TCP} 10.254.9.16:36423 -> 190.93.245.58:80
      Feb 13 14:08:59 gw16-a1 snort[99539]: [120:8:2] (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE [Classification: Unknown Traffic] [Priority: 3] {TCP} 10.254.9.16:36423 -> 190.93.245.58:80
      Feb 13 14:09:00 gw16-a1 barnyard2[439]: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x4406c00], information has not been outputed.
      Feb 13 14:09:00 gw16-a1 barnyard2[439]: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x4406c00], information has not been outputed.
      

      The centre bit (Called with Event[0x0] Event Type [​0]) pops up a few times online, but none of the suggested fixes (e.g. this one) did the trick.

      Any ideas?


      My install: Latest PFsense release and snort package from the GUI package manager.

      pfSense 2.2-RELEASE-pfSense (amd64)
      Snort Version 2.9.7.0 GRE (Build 149) FreeBSD
      Barnyard Version 2.1.13 (Build 327) IPv6

      
      ## General Barnyard2 settings ##
      config quiet
      config daemon
      config decode_data_link
      config alert_with_interface_name
      config event_cache_size:    8192
      config show_year
      config archivedir:          /var/log/snort/snort_bce036821/barnyard2/archive
      config reference_file:	    /usr/pbi/snort-amd64/etc/snort/snort_36821_bce0/reference.config
      config classification_file: /usr/pbi/snort-amd64/etc/snort/snort_36821_bce0/classification.config
      config sid_file:	    /usr/pbi/snort-amd64/etc/snort/snort_36821_bce0/sid-msg.map
      config gen_file:            /usr/pbi/snort-amd64/etc/snort/snort_36821_bce0/gen-msg.map
      config hostname:            the.host.name
      config interface:           bce0
      config waldo_file:          /var/log/snort/snort_bce036821/barnyard2/36821_bce0.waldo
      config logdir:              /var/log/snort/snort_bce036821
      
      input unified2
      
      ## Setup output plugins ##
      # database: log to a MySQL DB
      output database: log, mysql, user=root password=bla dbname=blub host=192.168.10.200
      
      
      ...
      # Snort Output Logs #
      output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority
      output alert_syslog: LOG_AUTH LOG_ALERT
      output unified2: filename snort_36821_bce0.u2, limit 16M, appid_event_types
      ...
      
      1 Reply Last reply Reply Quote 0
      • F
        floz
        last edited by

        Ok, phew, found the culprit.

        It seems that the issue arises only when I have Application ID Detection enabled (in the snort device's pre-processor tab). If I disable it, then the warnings go away and the events are correctly logged to the DB.

        And indeed, this post confirms this.

        Now, it would still be great to use the pre-processor and resulting app-stats. Is there a way of using it, but without setting the appid_event_types option on the output unified2 statement?

        Thanks for any comments / insights!

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          @floz:

          Ok, phew, found the culprit.

          It seems that the issue arises only when I have Application ID Detection enabled (in the snort device's pre-processor tab). If I disable it, then the warnings go away and the events are correctly logged to the DB.

          And indeed, this post confirms this.

          Now, it would still be great to use the pre-processor and resulting app-stats. Is there a way of using it, but without setting the appid_event_types option on the output unified2 statement?

          Thanks for any comments / insights!

          I don't believe so.  The APP ID preprocessor apparently is logging events to the Unified2 file whenever APP ID is enabled.  Barnyard2 looks to be choking on those events.  This is an upstream problem for the Barnyard2 and Snort folks to sort out.

          Bill

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.