Re: Barnyard2 reports database insert errors

[Dave Corsello <snort-users () wintertreemedia com>]

|interactive_timeout |is not configured in my.cnf or in the startup 
script.  I can't think of anything that could be killing mysqld.  Do you 
have anything specific in mind? The primary functions of this machine 
are MySQL server, Apache (for BASE) and SSH.  I can't correlate the 
timing of the errors to any processes (like the backup) that run on a 
schedule.

I failed to mention that I'm also getting fatal errors in 
dbProcessSignatureInformation from time to time:

Nov  4 06:53:28 snort1 barnyard2[24761]: INFO [dbProcessSignatureInformation()]: [Event: 1] with [gid: 1] [sid: 13990] [rev: 16] 
[classification: 12] [priority: 2] Signature Message -> "[SQL union select - possible sql injection attempt - GET 
parameter]" was not found in barnyard2 signature cache, this could mean its is the first time the signature is processed, and 
will be inserted in the database with the above information, this message should only be
printed once for each signature that is not present in the database. The new inserted signature will not have its 
information present in the sig_reference table, it should be present on restart if the information is present in the 
sid-msg.map file. You can allways update the message via a SQL query if you want it to be displayed correctly by your 
favorite interface
Nov  4 06:53:28 snort1 barnyard2[24761]: [dbProcessSignatureInformation()]: ERROR inserting new signature
Nov  4 06:53:28 snort1 barnyard2[24761]: FATAL ERROR: [dbProcessSignatureInformation()]: Failed, stoping processing

I've seen other discussions of this error, but have not done any 
debugging.  I don't know if this fatal error is related in any way to 
the insert errors that we've been discussing, but I'm including it in 
this thread in case you might find a correlation.  I got them several 
times about a year ago, and then three times over the past couple of 
weeks, twice on one sensor and once on the other, at random times.  The 
only changes that I made recently (besides changing the NIC type from 
Flexible to E1000 on the MySQL machine) were upgrades to Snort, daq and 
pulledpork to the latest versions.  I upgraded to ver 2.1.13 of 
barnyard2 months ago.

The insert errors that we had been discussing happen almost daily, and 
there was no change in frequency after the software updates that I just 
mentioned.

On 11/4/2013 12:25 PM, beenph wrote:
> On Mon, Nov 4, 2013 at 11:15 AM, Dave Corsello
> <snort-users () wintertreemedia com> wrote:
> > Changing the adapter type to E1000 did get rid of the RX-ERRs, but I'm
> > still getting intermittent insert errors in barnyard2.
> I guess that some of your sessions could get timmed out if their
> innactive for a while so when by2 try to insert
> it will fail until it reconnect, and then succede because the it has a
> valid handle/connection.
>
> http://dev.mysql.com/doc/refman/5.5/en/server-system-variables.html#sysvar_interactive_timeout
>
> Also you might have a process that is killing your mysqld for a while
> invalidating current client session which
> could also be the cause.
>
>
> > Maybe VMware is
> > reassigning memory that hasn't been used in awhile?  Will try reserving
> > memory.
> Doubt that alot.
>
> -elz

------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!