Barnyard2-1.13 sig_reference "Duplicate entry" issue.

45 views
Skip to first unread message

Champ ClarkIII

unread,
Nov 14, 2014, 8:40:16 AM11/14/14
to barnyar...@googlegroups.com

I've been running Barnyard2-1.13 without "disable_signature_reference_table" because I want to populate reference tables with information.   I've been running into an issue that I've been trying to narrow down.    To give a little bit of background,   I have multiple Snort and Sagan sensors reporting back to a single database.    There are a total of 7 sensors in my "sensor" table.   When upgrading to Barnyard2-1.13,  I started over with a clean/new database (0 records).   Everything works fine as long as I have "disable_signature_reference_table".  

Now that I'm trying to get reference data into the database,   I keep running into:

ERROR: database mysql_error: Duplicate entry '530-1' for key 'PRIMARY'
        SQL=[INSERT INTO sig_reference (ref_id,sig_id,ref_seq) VALUES ('37795','530','1');]
Fatal Error, Quitting..

I've cleared/deleted all records in the "sig_reference" table multiple times but this issue always creeps back up.   I started doing some digging and I noticed what might be an issue.  

I've captures the queries that Barnyard2 is attempting.  Barnyard2 appears to be checking the sig_reference table for this records  like this:

MariaDB [snort_abc]> SELECT ref_id FROM sig_reference WHERE (ref_id = '37796') AND (sig_id = '530') AND (ref_seq='1');
Empty set (0.00 sec)

So,  no record is found.   Barnyard2 then attempts to "INSERT" the record: 

MariaDB [snort_abc]> INSERT INTO sig_reference (ref_id,sig_id,ref_seq) VALUES ('37795','530', '1');
ERROR 1062 (23000): Duplicate entry '530-1' for key 'PRIMARY'

Here lies the problem.  Looking at the table schema,   "sig_id" and "ref_seq" are primary keys.   This INSERT always fail.

One solution I had was to remove the primary keys from the sig_reference database.   However,   It's not clear to me why the Snort database might need the same reference data multiple times. 

Another solution as to change the initial "SELECT" use to test the sig_reference table for an entry.   

Change it from this:

SELECT ref_id FROM sig_reference WHERE (ref_id = '37796') AND (sig_id = '530') AND (ref_seq='1');

to

SELECT ref_id FROM sig_reference WHERE (sig_id = '530') AND (ref_seq='1');

This seems to work,  but I have not investigate what impact this might have over all.   Hence the reason I wanted to get your input. 

Thank you for you time.   Let me know your thoughts. 




Reply all
Reply to author
Forward
0 new messages