You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jan 18, 2024. It is now read-only.
Barnyard2 - version 2-1.13 (bugfix release)
snort-2.9.5.6
pulled-pork 0.7.0
The sig_class_id used in the signature table is set incorrectly upon initialization.
To reproduce:-
stop snort
stop barnyard2
truncate/delete from all snort tables
Restart barnyard2 (wait for tables to be repopulated)
Start snort.
You will start to see in the logs warnings such as the following:-
INFO [dbProcessSignatureInformation()]: [Event: 3] with [gid: 122] [sid: 1] [rev: 1] [classification: 118] [priority: 2]#12#011 was not found in barnyard2 signature cache, this could lead to display inconsistency.#12#011 To prevent this warning, make sure that your sid-msg.map and gen-msg.map file are up to date with the snort process logging to the spool file.#12#011 The new inserted signature will not have its information present in the sig_reference table. #12#011 Note that the message inserted in the signature table will be snort default message "Snort Alert [gid:sid:revision]" #12#011 You can allways update the message via a SQL query if you want it to be displayed correctly by your favorite interface#012
The issue is that the sig_class.sig_class_id values are not starting from 1 due to the truncate of the table. barnyard2 inserts the sig_class_name and due to auto_increment, the sig_class_id is next highest value.
When signature table is updated, the new sig_class.sig_class_id values are not used resulting in warning above.
To resolve I needed to truncate the tables and either restart mysql or reset the auto_increment to 1 on sig_class.sig_class_id
Can I suggest a re-think of the code on how the signature.sig_class_id values are derived.
The text was updated successfully, but these errors were encountered:
Barnyard2 - version 2-1.13 (bugfix release)
snort-2.9.5.6
pulled-pork 0.7.0
The sig_class_id used in the signature table is set incorrectly upon
initialization.
To reproduce:-
stop snort
stop barnyard2
truncate/delete from all snort tables
Restart barnyard2 (wait for tables to be repopulated)
Start snort.
You will start to see in the logs warnings such as the following:-
INFO [dbProcessSignatureInformation()]: [Event: 3] with [gid: 122] [sid:
1] [rev: 1] [classification: 118] [priority: 2]#12#12 (comment)
was not found in barnyard2 signature cache, this could lead to display
inconsistency.#12#12 (comment) To
prevent this warning, make sure that your sid-msg.map and gen-msg.map file
are up to date with the snort process logging to the spool file.#12#12 (comment)
The new inserted signature will not have its information present in the
sig_reference table. #12#12 (comment)
Note that the message inserted in the signature table will be snort default
message "Snort Alert [gid:sid:revision]" #12#12 (comment)
You can allways update the message via a SQL query if you want it to be
displayed correctly by your favorite interface#012
The issue is that the sig_class.sig_class_id values are not starting from
1 due to the truncate of the table. barnyard2 inserts the sig_class_name
and due to auto_increment, the sig_class_id is next highest value.
When signature table is updated, the new sig_class.sig_class_id values are
not used resulting in warning above.
This is how the schema was designed more than 10 years ago and the current
database code follow those rules.
If you truncate/reset your table often, reset all auto-incrementing value
to one each time (signature,reference etc...)
Barnyard2 - version 2-1.13 (bugfix release)
snort-2.9.5.6
pulled-pork 0.7.0
The sig_class_id used in the signature table is set incorrectly upon initialization.
To reproduce:-
Restart barnyard2 (wait for tables to be repopulated)
Start snort.
You will start to see in the logs warnings such as the following:-
INFO [dbProcessSignatureInformation()]: [Event: 3] with [gid: 122] [sid: 1] [rev: 1] [classification: 118] [priority: 2]#12#011 was not found in barnyard2 signature cache, this could lead to display inconsistency.#12#011 To prevent this warning, make sure that your sid-msg.map and gen-msg.map file are up to date with the snort process logging to the spool file.#12#011 The new inserted signature will not have its information present in the sig_reference table. #12#011 Note that the message inserted in the signature table will be snort default message "Snort Alert [gid:sid:revision]" #12#011 You can allways update the message via a SQL query if you want it to be displayed correctly by your favorite interface#012
The issue is that the sig_class.sig_class_id values are not starting from 1 due to the truncate of the table. barnyard2 inserts the sig_class_name and due to auto_increment, the sig_class_id is next highest value.
When signature table is updated, the new sig_class.sig_class_id values are not used resulting in warning above.
To resolve I needed to truncate the tables and either restart mysql or reset the auto_increment to 1 on sig_class.sig_class_id
Can I suggest a re-think of the code on how the signature.sig_class_id values are derived.
The text was updated successfully, but these errors were encountered: