barnyard2 fails to start with Fatal Error: CacheSynchronize() call failed
812 views
Skip to first unread message
Venki Rajesh
Jan 7, 2013, 11:16:32 PM1/7/13
to barnyar...@googlegroups.com
I compiled barnyard2-2-1.11 in the following way
./configure --prefix=/usr --with-mysql=/usr --enable-debug
make
I started barnyard2 with the command
barnyard2 -Dc /etc/barnyard2.conf -d /var/log/snort -f snort.log -w /var/barnyard2.waldo
and the output was like this
[root@mysystem ~]# barnyard2 -Dc /etc/barnyard2.conf -d /var/log/snort -f snort.log -w /var/barnyard2.waldo
Running in Continuous mode
--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
DEBUG => [Alert_FWsam](AlertFWsamSetup) Output plugin is plugged in...
Parsing config file "/etc/barnyard2.conf"
Barnyard2 spooler: Event cache size set to [2048]
Log directory = /var/log/barnyard2
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
Node unique name is: thor:eth0
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM data WHERE sid='7';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM event WHERE sid='7';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM icmphdr WHERE sid='7';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM iphdr WHERE sid='7';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM opt WHERE sid='7';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM tcphdr WHERE sid='7';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM udphdr WHERE sid='7';]
[CacheSynchronize()]:, SignatureCacheSynchronize() call failed.
ERROR: database [DatabaseInitFinalize()]: CacheSynchronize() call failed ...
Fatal Error, Quitting..
Venki Rajesh
Jan 7, 2013, 11:20:05 PM1/7/13
to barnyar...@googlegroups.com
Forgot to mention the version of barnyard2 and snort i use
______ -*> Barnyard2 <*-
/ ,,_ \ Version 2.1.11 (Build 317) DEBUG
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
+ '''' + (C) Copyright 2008-2012 Ian Firns <fir...@securixlive.com>
,,_ -*> Snort! <*-
o" )~ Version 2.9.4 GRE (Build 40)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2012 Sourcefire, Inc., et al.
Using libpcap version 1.0.0
Using PCRE version: 8.12 2011-01-15
Using ZLIB version: 1.2.3
Thanks,
Rajesh
______ -*> Barnyard2 <*-
/ ,,_ \ Version 2.1.11 (Build 317) DEBUG
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
+ '''' + (C) Copyright 2008-2012 Ian Firns <fir...@securixlive.com>
,,_ -*> Snort! <*-
o" )~ Version 2.9.4 GRE (Build 40)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2012 Sourcefire, Inc., et al.
Using libpcap version 1.0.0
Using PCRE version: 8.12 2011-01-15
Using ZLIB version: 1.2.3
Thanks,
Rajesh
beenph
Jan 7, 2013, 11:39:16 PM1/7/13
to barnyar...@googlegroups.com
Since you compiled with debug enabled can you run barnyard2 this way
and repost the output?
BARNYARD2_DEBUG=0x80000000 barnyard2 -c /etc/barnyard2.conf -d
/var/log/snort -f snort.log -w /var/barnyard2.waldo
Also, did you define valid configuration directive for the following directives:
config reference_file
config classification_file
config gen_file
config sid_file
-elz
Venki Rajesh
Jan 8, 2013, 9:28:09 AM1/8/13
to barnyar...@googlegroups.com
Hi Eric,
Thanks for your reply.
It started fine and fills 'iphdr' table with the relevant ip addresses.
In my case, it does not writes to the 'data' table of the database.
Can you tell me when and how it will fill the 'data' table with the packet data if it does?
Thanks,
Rajesh
Thanks for your reply.
It started fine and fills 'iphdr' table with the relevant ip addresses.
In my case, it does not writes to the 'data' table of the database.
Can you tell me when and how it will fill the 'data' table with the packet data if it does?
Thanks,
Rajesh
beenph
Jan 8, 2013, 9:45:24 AM1/8/13
to barnyar...@googlegroups.com
On Tue, Jan 8, 2013 at 9:28 AM, Venki Rajesh <venki....@gmail.com> wrote:
> Hi Eric,
>
> Thanks for your reply.
> It started fine and fills 'iphdr' table with the relevant ip addresses.
> In my case, it does not writes to the 'data' table of the database.
> Can you tell me when and how it will fill the 'data' table with the packet
> data if it does?
>
The data inserted will depend of the type of event you have in your
> Hi Eric,
>
> Thanks for your reply.
> It started fine and fills 'iphdr' table with the relevant ip addresses.
> In my case, it does not writes to the 'data' table of the database.
> Can you tell me when and how it will fill the 'data' table with the packet
> data if it does?
>
unified2 files.
And the data you will find in your unified2 file will depend on your
snort rules and
the type of traffic your monitoring.
Events you might have logged might only have been packets with no data.
You might want to look to see which signature triggered the event and
this will probably give you also some information.
If you compiled snort from source you can also use the u2spewfoo tool
against your unified2 file to see
its content.
Cheers,
-elz
Venki Rajesh
Jan 9, 2013, 12:13:05 AM1/9/13
to barnyar...@googlegroups.com
Hi Eric,
Thanks for your explanation. It gave a clue to look into the type of alert it matched.
I was checking against an alert meant for a server -> client rule.
When i changed that to client -> server (real-time), it logged the packet data also.
Thanks,
Rajesh
Thanks for your explanation. It gave a clue to look into the type of alert it matched.
I was checking against an alert meant for a server -> client rule.
When i changed that to client -> server (real-time), it logged the packet data also.
Thanks,
Rajesh
Venki Rajesh
Jan 10, 2013, 11:59:11 PM1/10/13
to barnyar...@googlegroups.com
Hi Eric,
I was able to see the events and packet data in the database's tables.
In the event, it shows the alert like "Snort Alert [1:100000X:1]" and i want that to be "MY_EVENT_ALERT".
Please, correct me if i am wrong.
I looked into the source code, Barnyard2 reads from gen-msg.map and writes to 'signature' table of the database.
So, i added the following line to gen-msg.map.
146 || 1000001 || MY_CLASSIFICATION: MY EVENT ALERT
Similarly, I added the following line to sid-msg.map.
1000001 || MY EVENT ALERT
When i restarted barnyard2, it wrote this line to the 'signature' table. And, this 'MY_CLASSIFICATION' was included in classification.config also.
But, i get the same old alert message "Snort Alert [1:100000X:1]".
What should i do to get "MY EVENT ALERT" in the alerts ? Should i have to compile snort again adding 'my new generator id' ?
Can any one help me to understand the 'generator id' and how it is used ?
Thanks,
Rajesh
beenph
Jan 11, 2013, 12:32:05 AM1/11/13
to barnyar...@googlegroups.com
sid-msg.map file is the file you will need to put your custom message in.
But in your case as the by2 message state when it encounter a new
signature and does not find its occurence in sid-msg.map file
you will need to update it manually in the database in the signature table.
If you clean your database and the sid-msg.map file contain the
signature message you want to be present in the database,
then it will put it accordingly.
gen-msg.map file is for snort preprocessor only so its not where you
want to put your signature message.
-elz
> --
>
>
>
But in your case as the by2 message state when it encounter a new
signature and does not find its occurence in sid-msg.map file
you will need to update it manually in the database in the signature table.
If you clean your database and the sid-msg.map file contain the
signature message you want to be present in the database,
then it will put it accordingly.
gen-msg.map file is for snort preprocessor only so its not where you
want to put your signature message.
-elz
>
>
>
Reply all
Reply to author
Forward
0 new messages