Snort Barnyard2 stopped logging to mysql
-
I finished setting up barnyard2 on both my WAN&LAN interfaces last night to my dedicated MySQL box. Everything was working fine for roughly 2 hours now whenever a snort alert is generated barnyard2 outputs the following message in the pfsense general log:```
"WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x4226c00], information has not been outputed." -
edit: sorry was trying to edit original post..
-
I've got the same issue, deleting the waldo file results in Barnyard trying to run through all the previous alerts as well with the same error message. To be clear, no messages have ever been logged to the SQL server though it does successfully connect.
Any help would be greatly appreciated; an example of the logged message I receive is below.
barnyard2[83864]: WARNING database [Database()]: Called with Event[0x0] Event Type [ 0 ] (P)acket [0x8d50c00], information has not been outputed.
Note: I added the spaces in [ 0 ] to fix forum formatting.
pfSense version 2.2.2-RELEASE
Snort package: 3.2.4 -
Only other information I'm able to find on this issue:
-
I am sorry you are having the Barnyard2 issue. The Snort and Suricata packages simply use Barnyard2 and MySQL "as-is" from upstream. If you find out some information that helps with the problem, and it is something I can incorporate into the packages, please post back and let me know.
Bill
-
I am sorry you are having the Barnyard2 issue. The Snort and Suricata packages simply use Barnyard2 and MySQL "as-is" from upstream. If you find out some information that helps with the problem, and it is something I can incorporate into the packages, please post back and let me know.
Bill
I found the problem, after disabling the "OpenAppID" pre-processor signatures are now being logged to MySQL. However now I am experiencing another issue:
Jun 12 00:38:28 barnyard2[52951]: database: Closing connection to database "snorby" Jun 12 00:38:28 barnyard2[52951]: Barnyard2 exiting Jun 12 00:38:28 barnyard2[52951]: FATAL ERROR: [dbProcessSignatureInformation()]: Failed, stoping processing Jun 12 00:38:28 barnyard2[52951]: [dbProcessSignatureInformation()]: ERROR inserting new signature Jun 12 00:38:28 barnyard2[52951]: INFO [dbProcessSignatureInformation()]: [Event: 3722838017] with [gid: 1] [sid: 2500008] [rev: 3630] [classification: 14] [priority: 2] Signature Message -> "[ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 5]" was not found in barnyard2 signature cache, this could mean its is the first time the signature is processed, and will be inserted in the database with the above information, this message should only be printed once for each signature that is not present in the database The new inserted signature will not have its information present in the sig_reference table,it should be present on restart if the information is present in the sid-msg.map file. You can allways update the message via a SQL query if you want it to be displayed correctly by your favorite interface Jun 12 00:38:23 snort[89021]: [1:2500008:3630] ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 5 [Classification: Misc Attack] [Priority: 2] {TCP} xx.xx.xx.xx:12646 -> xx.xx.xx.xx:22 -
I do recall seeing on the Barnyard2 Github page that OpenAppID events are not supported by Barnyard.
Your new error seems to be related to the general issues the newer Barnyard2 code seems to have with SQL. I became so frustrated with Barnyard2 and Snorby on my own home firewall installation that I just disabled Barnyard2 last month. Got tired of restarting it and clearing the signature reference table and all the other hassles.
Bill