Snort mailing list archives
Re: Barnyard2 problems with reputation preproc rules
From: beenph <beenph () gmail com>
Date: Mon, 3 Feb 2014 11:52:17 -0500
On Mon, Feb 3, 2014 at 10:17 AM, Dave Corsello <snort-users () wintertreemedia com> wrote:
MySQL version 5.1.49
I would highly suggest upgrading in the near future.
To the best of my recollection, I never ran ALTER TABLE to change the storage engine. The only changes to this database were done by the BASE script that adds the acid tables, which I ran a couple of years ago.
Here are the results of the query: +--------+--------------+-----------------------------------+--------------+---------+---------+---------+--------------+ | sig_id | sig_class_id | sig_name | sig_priority | sig_rev | sig_sid | sig_gid | events_count | +--------+--------------+-----------------------------------+--------------+---------+---------+---------+--------------+ | 16501 | 4 | reputation: Packet is blacklisted | 2 | 1 | 1 | 136 | 65341 | | 17372 | 0 | reputation: Packet is blacklisted | 0 | 1 | 1 | 136 | 0 | +--------+--------------+-----------------------------------+--------------+---------+---------+---------+--------------+
Seem's like you have some left over from 2-1.11 in your signature table. Signature with (sig_class_id of 0) and or priority of 0. And this is what is causing the issue. Here is how you can fix this. Stop all barnyard2 processes. 1. copy/paste the body below in a mysql query (in the console client) without the <STOREDPROC MYSQL> and </STOREDPROC MYSQL>. < STOREDPROC MYSQL> DROP PROCEDURE fixsigs; delimiter $$ CREATE PROCEDURE fixsigs(IN proc_gid INT,OUT return_val varchar(50)) BEGIN DECLARE GID_COUNT INT; DECLARE GID_SID_MIN INT; DECLARE GID_SID_MAX INT; DECLARE C_SID INT; DECLARE cursorGIDSid CURSOR FOR SELECT MIN(sig_sid),MAX(sig_sid) FROM signature WHERE sig_gid=proc_gid; DECLARE cursorGIDcount CURSOR FOR SELECT COUNT(sig_sid) FROM signature WHERE sig_gid=proc_gid GROUP BY sig_gid; OPEN cursorGIDcount; FETCH cursorGIDcount INTO GID_COUNT; IF GID_COUNT > 1 THEN SET return_val = 'OPERATED'; OPEN cursorGIDSid; FETCH cursorGIDSid INTO GID_SID_MIN,GID_SID_MAX; SET return_val = CONCAT(return_val,' MIN:',GID_SID_MIN,' MAX: ',GID_SID_MAX); SET C_SID = GID_SID_MIN; WHILE C_SID <= GID_SID_MAX DO UPDATE event SET signature=(SELECT sig_id FROM signature WHERE sig_gid=proc_gid AND sig_sid=C_SID AND sig_class_id <> 0 and sig_priority <> 0) WHERE signature IN (SELECT sig_id FROM signature WHERE sig_gid=proc_gid AND sig_sid=C_SID AND sig_class_id ='0' and sig_priority='0'); DELETE FROM signature WHERE sig_gid=proc_gid AND sig_sid=C_SID AND sig_class_id='0' AND sig_priority='0'; SET C_SID = C_SID + 1; END WHILE; CLOSE cursorGIDSid; ELSE SET return_val = 'NOTHING TO DO'; END IF; CLOSE cursorGIDcount; END$$ delimiter ; </STOREDPROC MYSQL> 2. in a other query drop the following and let it execute. (without < START> and <END>) And please include the result of the execution if you can. Also make sure that you execute the below call's in the same session you executed the above sql , else fixsigs procedure will not exist and below calls will fail. < START> call fixsigs(100,@a); call fixsigs(101,@a); call fixsigs(102,@a); call fixsigs(103,@a); call fixsigs(104,@a); call fixsigs(105,@a); call fixsigs(106,@a); call fixsigs(110,@a); call fixsigs(111,@a); call fixsigs(112,@a); call fixsigs(113,@a); call fixsigs(114,@a); call fixsigs(115,@a); call fixsigs(116,@a); call fixsigs(117,@a); call fixsigs(118,@a); call fixsigs(119,@a); call fixsigs(120,@a); call fixsigs(121,@a); call fixsigs(122,@a); call fixsigs(123,@a); call fixsigs(124,@a); call fixsigs(125,@a); call fixsigs(126,@a); call fixsigs(128,@a); call fixsigs(129,@a); call fixsigs(130,@a); call fixsigs(131,@a); call fixsigs(133,@a); call fixsigs(134,@a); call fixsigs(135,@a); call fixsigs(136,@a); call fixsigs(137,@a); call fixsigs(138,@a); call fixsigs(139,@a); call fixsigs(140,@a); call fixsigs(141,@a); call fixsigs(142,@a); call fixsigs(143,@a); call fixsigs(144,@a); call fixsigs(145,@a); call fixsigs(2,@a); call fixsigs(3,@a); < END> 3. restart barnyard2 ------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Barnyard2 problems with reputation preproc rules Dave Corsello (Feb 01)
- Re: Barnyard2 problems with reputation preproc rules beenph (Feb 01)
- Re: Barnyard2 problems with reputation preproc rules Dave Corsello (Feb 02)
- Re: Barnyard2 problems with reputation preproc rules beenph (Feb 02)
- Re: Barnyard2 problems with reputation preproc rules Dave Corsello (Feb 03)
- Re: Barnyard2 problems with reputation preproc rules beenph (Feb 03)
- Re: Barnyard2 problems with reputation preproc rules Dave Corsello (Feb 03)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Barnyard2 problems with reputation preproc rules Dave Corsello (Feb 10)
- Re: Barnyard2 problems with reputation preproc rules Dave Corsello (Feb 12)
- Re: Barnyard2 problems with reputation preproc rules beenph (Feb 12)
- Re: Barnyard2 problems with reputation preproc rules Dave Corsello (Feb 02)
- Re: Barnyard2 problems with reputation preproc rules beenph (Feb 01)
- Re: Barnyard2 problems with reputation preproc rules Dave Corsello (Feb 07)