<![CDATA[Snort/Barnyard2 doesn't update events in Snorby after upgrade]]>Hi,

I don't have the exact same error as Greg97, but my problem also happened after I upgraded to the latest version of pfsense last week. Prior to the upgrade everything seemed to work fine. My snort and barnyard2 config was happily filling my mysql database and snorby presented all of it nicely. Now for some reason barnyard does connect to the mysql server but it no longer writes events to it. The unified2 archives are piling up on pfsense and thats it.

When I flush the database and restart snorby to generate the tables again everything works fine. Barnyard also starts and starts to fill the database again. Then after a while it just stops. I can restart the service, but then I'm back at the point that barnyard does no longer commit new events to the database.

When I restart the barnyard service it connects to the database fires the "SELECT sig_id, sig_sid, sig_gid,sig_rev, sig_class_id, sig_priority, sig_name FROM signature" qeury and form then on its quiet.

I've even restored an older snapshot from 2.1.5 of pfsense and upgraded again to 2.2.1, but this makes no difference.

I've been trying to figure out why it happens, but I could need some pointers.

I'm running:
Snort 2.9.7.2 pkg v3.2.4 on 2.2.1-RELEASE (i386) FreeBSD 10.1-RELEASE-p6
MySQL  5.5.38-0+wheezy1-log (Debian) server on my Netgear NAS
Snorby  rake, version 0.9.2 on Ubuntu 14.04.1 LTS

Thanks
Splinter

]]>https://forum.netgate.com/topic/82420/snort-barnyard2-doesn-t-update-events-in-snorby-after-upgradeRSS for NodeTue, 14 Apr 2026 18:25:08 GMTMon, 06 Apr 2015 20:31:47 GMT60<![CDATA[Reply to Snort/Barnyard2 doesn't update events in Snorby after upgrade on Tue, 14 Apr 2015 14:15:11 GMT]]>Yes works like a charm

]]>https://forum.netgate.com/post/536231https://forum.netgate.com/post/536231Tue, 14 Apr 2015 14:15:11 GMT<![CDATA[Reply to Snort/Barnyard2 doesn't update events in Snorby after upgrade on Thu, 09 Apr 2015 00:16:56 GMT]]>Can you click on the DNS reverse resolve icon when looking at an alert and get a reply?  Once I put an IPv6 address on my Snorby server, I lost that ability.  I can't even look up IPv4 addresses from within Snorby.

Bill

]]>https://forum.netgate.com/post/534859https://forum.netgate.com/post/534859Thu, 09 Apr 2015 00:16:56 GMT<![CDATA[Reply to Snort/Barnyard2 doesn't update events in Snorby after upgrade on Wed, 08 Apr 2015 10:25:33 GMT]]>Oh I got IPv6 working fine on my Snorby box, it can even identify itself with it's hostname to my MySQL server. I consider myself lucky then. Until now Barnyard is doing alright.

]]>https://forum.netgate.com/post/534677https://forum.netgate.com/post/534677Wed, 08 Apr 2015 10:25:33 GMT<![CDATA[Reply to Snort/Barnyard2 doesn't update events in Snorby after upgrade on Wed, 08 Apr 2015 00:02:00 GMT]]>Ah…OK.  I know Barnyard2 is not great with IPv6 support, and Snorby does not really support it at all so far as I know.  On my box, enabling IPv6 broke the DNS lookups from within Snorby (they still work fine from the Ubuntu CLI, so the failure is a Snorby issue).  I looked at the Snorby code and it uses only IPv4 library calls for that.  Also likely means other IPv6 stuff in Snorby is not well supported.

Bill

]]>https://forum.netgate.com/post/534570https://forum.netgate.com/post/534570Wed, 08 Apr 2015 00:02:00 GMT<![CDATA[Reply to Snort/Barnyard2 doesn't update events in Snorby after upgrade on Tue, 07 Apr 2015 20:07:31 GMT]]>Hey Bill,

Somehow this seems to have a lot to do with my network being dualstacked. I reconfigured the barnyard interface to use the ipv4 hostname of my mysql instance. This worked better than the ipv6 connection. Second, there were some entries showing up in Snorby that had unidentifiable ip addresses. When I correlate these to my alerts tab in snort these translate to ipv6 addresses. Although it's only Snorby not displaying the IP addresses correctly, I'm still going to suppress these alerts for now. Let's see if this is a more stable configuration.

Hopefully barnyard will hold up this time.

cheers
Splinter

]]>https://forum.netgate.com/post/534508https://forum.netgate.com/post/534508Tue, 07 Apr 2015 20:07:31 GMT<![CDATA[Reply to Snort/Barnyard2 doesn't update events in Snorby after upgrade on Tue, 07 Apr 2015 04:26:23 GMT]]>That returns:
9085 rows in set (0.32 sec)

:-/

Splinter

]]>https://forum.netgate.com/post/534261https://forum.netgate.com/post/534261Tue, 07 Apr 2015 04:26:23 GMT<![CDATA[Reply to Snort/Barnyard2 doesn't update events in Snorby after upgrade on Tue, 07 Apr 2015 01:39:29 GMT]]>What happens if you log in to the MySQL database and execute that same query?  Does it return results?  This seems to be on the MySQL side of things in the DB server.

Bill

]]>https://forum.netgate.com/post/534250https://forum.netgate.com/post/534250Tue, 07 Apr 2015 01:39:29 GMT