Re: Snort, barnyard2, snorby issue

[Sharif Uddin <Sharif.Uddin () spectrumasa com>]

How do you create the schema and from where did you get it?

From: Joey Moe [mailto:jmoe () penguingeek net]
Sent: 03 October 2014 09:28
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort, barnyard2, snorby issue

This is my first time posting in the community, and I have googled extensively and read through tons of forums entries 
where I've seen others posting about this same issue, but haven't found the solution yet.

PROBLEM: snort runs fine. I can watch output in verbose mode and and if I run `watch ls -lah /logs/dir` (where 
/logs/dir in my log directory), I can see both snort.u2.XXXXXXXXXX file and barnyard2.waldo being populated.

but running barnyard2 i receive the following constant errors:

[Database()]: Insertion of Query [INSERT INTO event (sid,cid,signature,timestamp) VALUES (1, 121, 2, '2014-10-01 
01:53:15');] failed
WARNING database: [Database()] Failed transaction with current query transaction
 WARNING database: Failed Query Position [1] Failed Query Body [INSERT INTO event (sid,cid,signature,timestamp) VALUES 
(1, 121, 2, '2014-10-01 01:53:15');]
WARNING database: Failed Query Position [2] Failed Query Body [INSERT INTO udphdr (sid, cid, udp_sport, udp_dport, 
udp_len, udp_csum) VALUES (1, 121, 53, 11403, 207, 16168);]
WARNING database: Failed Query Position [3] Failed Query Body [INSERT INTO iphdr (sid, cid, ip_src, ip_dst, ip_ver, 
ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl, ip_proto, ip_csum) VALUES 
(1,121,3455829973,3232236175,4,5,32,227,0,0,0,55,17,59873);]
WARNING database: Failed Query Position [4] Failed Query Body [INSERT INTO data (sid,cid,data_payload) VALUES 
(1,121,'79B684000001000100040001037777770B746872656174737461636B03636F6D0000010001C00C000100010000012C000442E42EA3C010000200010002A3000017076E732D3130333509617773646E732D3031036F726700C010000200010002A3000014076E732D3133373209617773646E732D3433C053C010000200010002A3000019076E732D3230303509617773646E732D353802636F02756B00C010000200010002A3000013066E732D33373609617773646E732D3437C01C0000291000000000000000');]
WARNING database [Database()]: End of failed transaction block

This continues until finally barnyard2 dies with the following error:

[RollbackTransaction(): Call failed, we reached the maximum number of transaction error [10]
ERROR: database Unable to rollback transaction in [Database()]
Fatal Error, Quitting..
Barnyard2 exiting
[RollbackTransaction(): Call failed, we reached the maximum number of transaction error [10]
database: Closing connection to database "snorby"

I'm using the standard mysql configuration and verified that all database tables are innodb, and that the permissions 
on the database are set correctly. I've dropped the database several times as well as the barnyard2.waldo file, yet 
every time it's the same thing. This is the last issue I need to resolve and my snort infrastructure will be stable, 
but as it stands right now I feel like I am looking for "a superball in my gas tank".

Any help would be greatly appreciated.

--Joey

IMPORTANT - This message and any attached files contain information intended for the exclusive use of the party or 
parties to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt 
from disclosure under applicable law. If you are not an intended recipient, you are hereby notified that any viewing, 
copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify 
the sender immediately and delete the original message without making any copies. Copyright in this email and any 
attachments belong to Spectrum Geo Limited.
We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses 
or damages that you may suffer as a result of your receipt of this email.
Email communication with Spectrum Geo Ltd., may be monitored as permitted by UK legislation.
Spectrum Geo Limited, is a limited company registered in England and Wales. Registered number: 1979422. Registered 
office: 95 Aldwych, London WC2B 4JF.

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!