Snort mailing list archives

Previous By Date Next
Previous By Thread Next

mysql_error: Duplicate entry 1-2 for key PRIMARY table event

From: c0re <nr1c0re () gmail com>
Date: Wed, 14 May 2014 13:34:09 +0400
Hello snort users!

I'm trying to setup barnyard2 and keep failing with it.
When I start barnyard2:

/usr/local/barnyard2-1.13/bin/barnyard2 -c
/usr/local/barnyard2-1.13/etc/barnyard2.conf -d /var/log/snort -w
/var/log/barnyard2/snort_dmz2.log.waldo -vvv -f snort_dmz2.log

It starts good. But when I start snort, barnyard2 see new unifeid2 logs and
tryed to insert in database and gives Fatal error:

Opened spool file '/var/log/snort/snort_dmz2.log.1399902485'
05/12-17:48:05.783972  [**] [124:1:1] <dmz2> smtp: Attempted command buffer
overflow [**] [Classification: Attempted Administrator Privilege Gain]
[Priority: 1] {TCP} 1.1.1.1:28882 -> 2.2.2.2:25
05/12-17:48:05.815952  [**] [124:1:1] <dmz2> smtp: Attempted command buffer
overflow [**] [Classification: Attempted Administrator Privilege Gain]
[Priority: 1] {TCP} 1.1.1.1:28882 -> 2.2.2.2:25
ERROR: database mysql_error: Duplicate entry '1-2' for key 'PRIMARY'
        SQL=[INSERT INTO event (sid,cid,signature,timestamp) VALUES (1, 2,
253, '2014-05-12 17:48:05');]
Fatal Error, Quitting..
Barnyard2 exiting

I have fresh install of snort, pulledpork and barnyard2.

OS FreeBSD 8.3-RELEASE-p8
snort-2.9.6.0_1
pulledpork-0.7.0
barnyard2-1.13 built with --enable-debug, latest bug-fix from git because I
had ERROR 0x0 and 0x7 in 1.13 version.

I've got only one snort instance and fresh database for barnyard2.
Tables in DB are InnoDB type.

barnyard2 config:

cool-ids# egrep -v '^$|^#' /usr/local/barnyard2-1.13/etc/barnyard2.conf
config reference_file:      /usr/local/etc/snort/reference.config
config classification_file: /usr/local/etc/snort/classification.config
config gen_file:            /usr/local/etc/snort/gen-msg.map
config sid_file:            /usr/local/etc/snort/sid-msg.map
config hostname:   cool-ids
config interface:  dmz2
config alert_with_interface_name
config process_new_records_only
input unified2
output alert_fast: stdout
output database: alert, mysql, user=snort password=mypw dbname=snort
host=5.5.5.5
output database: log, mysql, user=snort password=mypw dbname=snort
host=5.5.5.5

Full log of barnyard2:

cool-ids# /usr/local/barnyard2-1.13/bin/barnyard2 -c
/usr/local/barnyard2-1.13/etc/barnyard2.conf -d /var/log/snort -w
/var/log/barnyard2/snort_dmz2.log.waldo -vvv -f snort_dmz2.log
Running in Continuous mode

        --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
DEBUG => [Alert_FWsam](AlertFWsamSetup) Output plugin is plugged in...
Parsing config file "/usr/local/barnyard2-1.13/etc/barnyard2.conf"


+[ Signature Suppress list ]+
----------------------------
+[No entry in Signature Suppress List]+
----------------------------
+[ Signature Suppress list ]+

Barnyard2 spooler: Event cache size set to [2048]
Log directory = /var/log/barnyard2
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
Node unique name is: cool-ids:dmz2

[ClassificationPullDataStore()]: No Classification found in database ...
[SignaturePullDataStore()]: No signature found in database ...
[SystemPullDataStore()]: No System found in database ...
[ReferencePullDataStore()]: No Reference found in database ...
[SignatureReferencePullDataStore()]: No Reference found in database ...
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database:           host = 5.5.5.5
database:           user = snort
database:  database name = snort
database:    sensor name = cool-ids:dmz2
database:      sensor id = 1
database:     sensor cid = 1
database:  data encoding = hex
database:   detail level = full
database:     ignore_bpf = no
database: using the "alert" facility
Node unique name is: cool-ids:dmz2

database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database:           host = 5.5.5.5
database:           user = snort
database:  database name = snort
database:    sensor name = cool-ids:dmz2
database:      sensor id = 1
database:     sensor cid = 2
database:  data encoding = hex
database:   detail level = full
database:     ignore_bpf = no
database: using the "log" facility
-------------------------------------------------
 Keyword     |          Input @
-------------------------------------------------
unified2     : init() = 0x445970
unified2     :   - readRecordHeader() = 0x4459f0
unified2     :   - readRecord()       = 0x445bd0
-------------------------------------------------

-------------------------------------------------
 Keyword     |          Output @
-------------------------------------------------
alert_cef    :       0x429d90
alert_syslog :       0x430210
log_tcpdump  :       0x432da0
database     :       0x439f70
alert_fast   :       0x42bb00
alert_full   :       0x42c720
alert_fwsam  :       0x42cf30
alert_unixsock:       0x431770
alert_csv    :       0x42a7e0
log_null     :       0x432ca0
log_ascii    :       0x432030
alert_test   :       0x430fd0
sguil        :       0x433b30
alert_syslog_full:       0x434d60
log_syslog_full:       0x434d40
-------------------------------------------------


        --== Initialization Complete ==--

  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.13 (Build 333) DEBUG
 |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
 + '''' +  (C) Copyright 2008-2013 Ian Firns <firnsy () securixlive com>

WARNING: Ignoring corrupt/truncated waldofile
'/var/log/barnyard2/snort_dmz2.log.waldo'
Waiting for new spool file
Opened spool file '/var/log/snort/snort_dmz2.log.1399902485'
05/12-17:48:05.783972  [**] [124:1:1] <dmz2> smtp: Attempted command buffer
overflow [**] [Classification: Attempted Administrator Privilege Gain]
[Priority: 1] {TCP} 1.1.1.1:28882 -> 2.2.2.2:25
05/12-17:48:05.815952  [**] [124:1:1] <dmz2> smtp: Attempted command buffer
overflow [**] [Classification: Attempted Administrator Privilege Gain]
[Priority: 1] {TCP} 1.1.1.1:28882 -> 2.2.2.2:25
ERROR: database mysql_error: Duplicate entry '1-2' for key 'PRIMARY'
        SQL=[INSERT INTO event (sid,cid,signature,timestamp) VALUES (1, 2,
253, '2014-05-12 17:48:05');]
Fatal Error, Quitting..
Barnyard2 exiting
database: Closing connection to database "snort"
database: Closing connection to database "snort"
===============================================================================
Record Totals:
   Records:           3
   Events:           1 (33.333%)
   Packets:           2 (66.667%)
   Unknown:           0 (0.000%)
   Suppressed:           0 (0.000%)
===============================================================================
Packet breakdown by protocol (includes rebuilt packets):
      ETH: 2          (100.000%)
  ETHdisc: 0          (0.000%)
     VLAN: 0          (0.000%)
     IPV6: 0          (0.000%)
  IP6 EXT: 0          (0.000%)
  IP6opts: 0          (0.000%)
  IP6disc: 0          (0.000%)
      IP4: 2          (100.000%)
  IP4disc: 0          (0.000%)
    TCP 6: 0          (0.000%)
    UDP 6: 0          (0.000%)
    ICMP6: 0          (0.000%)
  ICMP-IP: 0          (0.000%)
      TCP: 2          (100.000%)
      UDP: 0          (0.000%)
     ICMP: 0          (0.000%)
  TCPdisc: 0          (0.000%)
  UDPdisc: 0          (0.000%)
  ICMPdis: 0          (0.000%)
     FRAG: 0          (0.000%)
   FRAG 6: 0          (0.000%)
      ARP: 0          (0.000%)
    EAPOL: 0          (0.000%)
  ETHLOOP: 0          (0.000%)
      IPX: 0          (0.000%)
IPv4/IPv4: 0          (0.000%)
IPv4/IPv6: 0          (0.000%)
IPv6/IPv4: 0          (0.000%)
IPv6/IPv6: 0          (0.000%)
      GRE: 0          (0.000%)
  GRE ETH: 0          (0.000%)
 GRE VLAN: 0          (0.000%)
 GRE IPv4: 0          (0.000%)
 GRE IPv6: 0          (0.000%)
GRE IP6 E: 0          (0.000%)
 GRE PPTP: 0          (0.000%)
  GRE ARP: 0          (0.000%)
  GRE IPX: 0          (0.000%)
 GRE LOOP: 0          (0.000%)
     MPLS: 0          (0.000%)
    OTHER: 0          (0.000%)
  DISCARD: 0          (0.000%)
InvChkSum: 0          (0.000%)
   S5 G 1: 0          (0.000%)
   S5 G 2: 0          (0.000%)
    Total: 2
===============================================================================
Closing spool file '/var/log/snort/snort_dmz2.log.1399902485'. Read 3
records
cool-ids#

What is happening? What can I do with it?

It's fresh and empty DB, that populated when barnyard2 starts, but failes
in no more than 5 recors with Duplicate entry error.

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: