Snort/Barnyard2 doesn't update events in Snorby after upgrade
I don't have the exact same error as Greg97, but my problem also happened after I upgraded to the latest version of pfsense last week. Prior to the upgrade everything seemed to work fine. My snort and barnyard2 config was happily filling my mysql database and snorby presented all of it nicely. Now for some reason barnyard does connect to the mysql server but it no longer writes events to it. The unified2 archives are piling up on pfsense and thats it.
When I flush the database and restart snorby to generate the tables again everything works fine. Barnyard also starts and starts to fill the database again. Then after a while it just stops. I can restart the service, but then I'm back at the point that barnyard does no longer commit new events to the database.
When I restart the barnyard service it connects to the database fires the "SELECT sig_id, sig_sid, sig_gid,sig_rev, sig_class_id, sig_priority, sig_name FROM signature" qeury and form then on its quiet.
I've even restored an older snapshot from 2.1.5 of pfsense and upgraded again to 2.2.1, but this makes no difference.
I've been trying to figure out why it happens, but I could need some pointers.
Snort 184.108.40.206 pkg v3.2.4 on 2.2.1-RELEASE (i386) FreeBSD 10.1-RELEASE-p6
MySQL 5.5.38-0+wheezy1-log (Debian) server on my Netgear NAS
Snorby rake, version 0.9.2 on Ubuntu 14.04.1 LTS
What happens if you log in to the MySQL database and execute that same query? Does it return results? This seems to be on the MySQL side of things in the DB server.
9085 rows in set (0.32 sec)
Somehow this seems to have a lot to do with my network being dualstacked. I reconfigured the barnyard interface to use the ipv4 hostname of my mysql instance. This worked better than the ipv6 connection. Second, there were some entries showing up in Snorby that had unidentifiable ip addresses. When I correlate these to my alerts tab in snort these translate to ipv6 addresses. Although it's only Snorby not displaying the IP addresses correctly, I'm still going to suppress these alerts for now. Let's see if this is a more stable configuration.
Hopefully barnyard will hold up this time.
Ah…OK. I know Barnyard2 is not great with IPv6 support, and Snorby does not really support it at all so far as I know. On my box, enabling IPv6 broke the DNS lookups from within Snorby (they still work fine from the Ubuntu CLI, so the failure is a Snorby issue). I looked at the Snorby code and it uses only IPv4 library calls for that. Also likely means other IPv6 stuff in Snorby is not well supported.
Oh I got IPv6 working fine on my Snorby box, it can even identify itself with it's hostname to my MySQL server. I consider myself lucky then. Until now Barnyard is doing alright.
Can you click on the DNS reverse resolve icon when looking at an alert and get a reply? Once I put an IPv6 address on my Snorby server, I lost that ability. I can't even look up IPv4 addresses from within Snorby.
Yes works like a charm