Snort mailing list archives
mysql_error: Duplicate entry 1-2 for key PRIMARY table event
From: c0re <nr1c0re () gmail com>
Date: Wed, 14 May 2014 13:34:09 +0400
Hello snort users! I'm trying to setup barnyard2 and keep failing with it. When I start barnyard2: /usr/local/barnyard2-1.13/bin/barnyard2 -c /usr/local/barnyard2-1.13/etc/barnyard2.conf -d /var/log/snort -w /var/log/barnyard2/snort_dmz2.log.waldo -vvv -f snort_dmz2.log It starts good. But when I start snort, barnyard2 see new unifeid2 logs and tryed to insert in database and gives Fatal error: Opened spool file '/var/log/snort/snort_dmz2.log.1399902485' 05/12-17:48:05.783972 [**] [124:1:1] <dmz2> smtp: Attempted command buffer overflow [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 1.1.1.1:28882 -> 2.2.2.2:25 05/12-17:48:05.815952 [**] [124:1:1] <dmz2> smtp: Attempted command buffer overflow [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 1.1.1.1:28882 -> 2.2.2.2:25 ERROR: database mysql_error: Duplicate entry '1-2' for key 'PRIMARY' SQL=[INSERT INTO event (sid,cid,signature,timestamp) VALUES (1, 2, 253, '2014-05-12 17:48:05');] Fatal Error, Quitting.. Barnyard2 exiting I have fresh install of snort, pulledpork and barnyard2. OS FreeBSD 8.3-RELEASE-p8 snort-2.9.6.0_1 pulledpork-0.7.0 barnyard2-1.13 built with --enable-debug, latest bug-fix from git because I had ERROR 0x0 and 0x7 in 1.13 version. I've got only one snort instance and fresh database for barnyard2. Tables in DB are InnoDB type. barnyard2 config: cool-ids# egrep -v '^$|^#' /usr/local/barnyard2-1.13/etc/barnyard2.conf config reference_file: /usr/local/etc/snort/reference.config config classification_file: /usr/local/etc/snort/classification.config config gen_file: /usr/local/etc/snort/gen-msg.map config sid_file: /usr/local/etc/snort/sid-msg.map config hostname: cool-ids config interface: dmz2 config alert_with_interface_name config process_new_records_only input unified2 output alert_fast: stdout output database: alert, mysql, user=snort password=mypw dbname=snort host=5.5.5.5 output database: log, mysql, user=snort password=mypw dbname=snort host=5.5.5.5 Full log of barnyard2: cool-ids# /usr/local/barnyard2-1.13/bin/barnyard2 -c /usr/local/barnyard2-1.13/etc/barnyard2.conf -d /var/log/snort -w /var/log/barnyard2/snort_dmz2.log.waldo -vvv -f snort_dmz2.log Running in Continuous mode --== Initializing Barnyard2 ==-- Initializing Input Plugins! Initializing Output Plugins! DEBUG => [Alert_FWsam](AlertFWsamSetup) Output plugin is plugged in... Parsing config file "/usr/local/barnyard2-1.13/etc/barnyard2.conf" +[ Signature Suppress list ]+ ---------------------------- +[No entry in Signature Suppress List]+ ---------------------------- +[ Signature Suppress list ]+ Barnyard2 spooler: Event cache size set to [2048] Log directory = /var/log/barnyard2 INFO database: Defaulting Reconnect/Transaction Error limit to 10 INFO database: Defaulting Reconnect sleep time to 5 second INFO database: Defaulting Reconnect/Transaction Error limit to 10 INFO database: Defaulting Reconnect sleep time to 5 second Node unique name is: cool-ids:dmz2 [ClassificationPullDataStore()]: No Classification found in database ... [SignaturePullDataStore()]: No signature found in database ... [SystemPullDataStore()]: No System found in database ... [ReferencePullDataStore()]: No Reference found in database ... [SignatureReferencePullDataStore()]: No Reference found in database ... database: compiled support for (mysql) database: configured to use mysql database: schema version = 107 database: host = 5.5.5.5 database: user = snort database: database name = snort database: sensor name = cool-ids:dmz2 database: sensor id = 1 database: sensor cid = 1 database: data encoding = hex database: detail level = full database: ignore_bpf = no database: using the "alert" facility Node unique name is: cool-ids:dmz2 database: compiled support for (mysql) database: configured to use mysql database: schema version = 107 database: host = 5.5.5.5 database: user = snort database: database name = snort database: sensor name = cool-ids:dmz2 database: sensor id = 1 database: sensor cid = 2 database: data encoding = hex database: detail level = full database: ignore_bpf = no database: using the "log" facility ------------------------------------------------- Keyword | Input @ ------------------------------------------------- unified2 : init() = 0x445970 unified2 : - readRecordHeader() = 0x4459f0 unified2 : - readRecord() = 0x445bd0 ------------------------------------------------- ------------------------------------------------- Keyword | Output @ ------------------------------------------------- alert_cef : 0x429d90 alert_syslog : 0x430210 log_tcpdump : 0x432da0 database : 0x439f70 alert_fast : 0x42bb00 alert_full : 0x42c720 alert_fwsam : 0x42cf30 alert_unixsock: 0x431770 alert_csv : 0x42a7e0 log_null : 0x432ca0 log_ascii : 0x432030 alert_test : 0x430fd0 sguil : 0x433b30 alert_syslog_full: 0x434d60 log_syslog_full: 0x434d40 ------------------------------------------------- --== Initialization Complete ==-- ______ -*> Barnyard2 <*- / ,,_ \ Version 2.1.13 (Build 333) DEBUG |o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/ + '''' + (C) Copyright 2008-2013 Ian Firns <firnsy () securixlive com> WARNING: Ignoring corrupt/truncated waldofile '/var/log/barnyard2/snort_dmz2.log.waldo' Waiting for new spool file Opened spool file '/var/log/snort/snort_dmz2.log.1399902485' 05/12-17:48:05.783972 [**] [124:1:1] <dmz2> smtp: Attempted command buffer overflow [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 1.1.1.1:28882 -> 2.2.2.2:25 05/12-17:48:05.815952 [**] [124:1:1] <dmz2> smtp: Attempted command buffer overflow [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 1.1.1.1:28882 -> 2.2.2.2:25 ERROR: database mysql_error: Duplicate entry '1-2' for key 'PRIMARY' SQL=[INSERT INTO event (sid,cid,signature,timestamp) VALUES (1, 2, 253, '2014-05-12 17:48:05');] Fatal Error, Quitting.. Barnyard2 exiting database: Closing connection to database "snort" database: Closing connection to database "snort" =============================================================================== Record Totals: Records: 3 Events: 1 (33.333%) Packets: 2 (66.667%) Unknown: 0 (0.000%) Suppressed: 0 (0.000%) =============================================================================== Packet breakdown by protocol (includes rebuilt packets): ETH: 2 (100.000%) ETHdisc: 0 (0.000%) VLAN: 0 (0.000%) IPV6: 0 (0.000%) IP6 EXT: 0 (0.000%) IP6opts: 0 (0.000%) IP6disc: 0 (0.000%) IP4: 2 (100.000%) IP4disc: 0 (0.000%) TCP 6: 0 (0.000%) UDP 6: 0 (0.000%) ICMP6: 0 (0.000%) ICMP-IP: 0 (0.000%) TCP: 2 (100.000%) UDP: 0 (0.000%) ICMP: 0 (0.000%) TCPdisc: 0 (0.000%) UDPdisc: 0 (0.000%) ICMPdis: 0 (0.000%) FRAG: 0 (0.000%) FRAG 6: 0 (0.000%) ARP: 0 (0.000%) EAPOL: 0 (0.000%) ETHLOOP: 0 (0.000%) IPX: 0 (0.000%) IPv4/IPv4: 0 (0.000%) IPv4/IPv6: 0 (0.000%) IPv6/IPv4: 0 (0.000%) IPv6/IPv6: 0 (0.000%) GRE: 0 (0.000%) GRE ETH: 0 (0.000%) GRE VLAN: 0 (0.000%) GRE IPv4: 0 (0.000%) GRE IPv6: 0 (0.000%) GRE IP6 E: 0 (0.000%) GRE PPTP: 0 (0.000%) GRE ARP: 0 (0.000%) GRE IPX: 0 (0.000%) GRE LOOP: 0 (0.000%) MPLS: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) InvChkSum: 0 (0.000%) S5 G 1: 0 (0.000%) S5 G 2: 0 (0.000%) Total: 2 =============================================================================== Closing spool file '/var/log/snort/snort_dmz2.log.1399902485'. Read 3 records cool-ids# What is happening? What can I do with it? It's fresh and empty DB, that populated when barnyard2 starts, but failes in no more than 5 recors with Duplicate entry error.
------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- mysql_error: Duplicate entry 1-2 for key PRIMARY table event c0re (May 14)
- Re: mysql_error: Duplicate entry 1-2 for key PRIMARY table event Jeremy Hoel (May 14)
- Re: mysql_error: Duplicate entry 1-2 for key PRIMARY table event beenph (May 24)
- Re: mysql_error: Duplicate entry 1-2 for key PRIMARY table event Jeremy Hoel (May 14)