PP sid_msg_version=2

[chris....@tampinc.com]

Hi,

  I am running snort v2.95 -> barnyard2 v2.1.13 -> postgres v9.2. PP v0.7.0

When I set sid_msg_version=2 in pulledpork.conf, barnyard2 bails out when trying to write the reference data on startup. 

extract from /var/log/messages:

Aug 21 18:45:58 chris-Linux barnyard2[28264]: ERROR database: Query [SELECT ref_id FROM reference WHERE ref_system_id = '9' AND ref_tag = 'support.microsoft.com/default.aspx?scid=kb\;EN-US\;q188806';] returned more than one result

Aug 21 18:45:58 chris-Linux barnyard2[28264]: [SystemCacheSynchronize()], Call to ReferencePopulateDatabase() failed

Aug 21 18:45:58 chris-Linux barnyard2[28264]: [CacheSynchronize()]:, SystemCacheSyncronize() call failed.

Aug 21 18:45:58 chris-Linux barnyard2[28264]: FATAL ERROR: database [DatabaseInitFinalize()]: CacheSynchronize() call failed ...

Aug 21 18:45:58 chris-Linux barnyard2[28264]: Barnyard2 exiting

Aug 21 18:45:58 chris-Linux barnyard2[28264]: database: Closing connection to database "snort"

I dropped and recreate the database schema to make sure it was empty and tried again - same result.

Setting sid_msg_version=1, then rerunning PP, and the issue goes away i.e. barnyard2 starts up and logs alerts successfully. I'm not sure what the extra benefit of  sid_msg_version=2 is as I'm just starting to use snort, so setting it back to 1 is not a problem for me but might be an issue relevant to the developer of PP. 

Reading the pulledpork.conf comment 

# specify version 2 if you are running barnyard2.2+. Otherwise use 1

confused me as the latest version of barnyard2 I could find on github was v2.1.13. Does it mean barnyard2 v2.2+ or barynard2 v2+in the comment?

Cheers,

   Chris

[JJC]

It's for a newer version of Barnyard that is not mainstream release.. 

The release notes and the config above that directive SPECIFICALLY state:

# New for by2 and more advanced msg mapping. Valid options are 1 or 2

# specify version 2 if you are running barnyard2.2+. Otherwise use 1

sid_msg_version=1 Note that the default version is set to 1 for a reason. Also note that your version of barnyard2 is 2.1.13 and that is < 2.2+ JJC

[chris....@tampinc.com]

Yes, I thought my barnyard2 version must be the issue but the comment in pulledpork.conf inspired my attempt to try it out 

Does "barnyard2.2+" mean 

a) barnyard v2.2+

b) barnyard2 v2.2+ 

c) barynard2 v2+ 

Is barnyard2 the same project as barnyard? I didn't know. Having different names and not knowing the history of the project(s?), I didn't think the comment was SPECIFIC, so I tried it out, didn't work, thought I'd ask ... :-)

Thanks for the clarification.

Cheers, 

   Chris

[JJ Cummings]

Understood and I'll clear that up in the docs!

Sent from the iRoad

--
You received this message because you are subscribed to the Google Groups "pulledpork users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pulledpork-use...@googlegroups.com.
To post to this group, send email to pulledpo...@googlegroups.com.
Visit this group at http://groups.google.com/group/pulledpork-users.
For more options, visit https://groups.google.com/groups/opt_out.