signature.sig_class_id not correctly populated resulting in dbProcessSignatureInformation()...not found in barnyard2 signature cache

[epantf]

Barnyard2 - version 2-1.13 (bugfix release)
snort-2.9.5.6
pulled-pork 0.7.0

The sig_class_id used in the signature table is set incorrectly upon initialization.

To reproduce:-

• stop snort
• stop barnyard2
• truncate/delete from all snort tables

Restart barnyard2 (wait for tables to be repopulated)
Start snort.

You will start to see in the logs warnings such as the following:-

INFO [dbProcessSignatureInformation()]: [Event: 3] with [gid: 122] [sid: 1] [rev: 1] [classification: 118] [priority: 2]#12#011 was not found in barnyard2 signature cache, this could lead to display inconsistency.#12#011 To prevent this warning, make sure that your sid-msg.map and gen-msg.map file are up to date with the snort process logging to the spool file.#12#011 The new inserted signature will not have its information present in the sig_reference table. #12#011 Note that the message inserted in the signature table will be snort default message "Snort Alert [gid:sid:revision]" #12#011 You can allways update the message via a SQL query if you want it to be displayed correctly by your favorite interface#012

The issue is that the sig_class.sig_class_id values are not starting from 1 due to the truncate of the table. barnyard2 inserts the sig_class_name and due to auto_increment, the sig_class_id is next highest value.

When signature table is updated, the new sig_class.sig_class_id values are not used resulting in warning above.

To resolve I needed to truncate the tables and either restart mysql or reset the auto_increment to 1 on sig_class.sig_class_id

Can I suggest a re-think of the code on how the signature.sig_class_id values are derived.

[binf]

On Sun, Jan 19, 2014 at 10:40 PM, epantf notifications@github.com wrote:

Barnyard2 - version 2-1.13 (bugfix release)
snort-2.9.5.6
pulled-pork 0.7.0

The sig_class_id used in the signature table is set incorrectly upon
initialization.

To reproduce:-

• stop snort
• stop barnyard2
• truncate/delete from all snort tables

Restart barnyard2 (wait for tables to be repopulated)
Start snort.

You will start to see in the logs warnings such as the following:-

INFO [dbProcessSignatureInformation()]: [Event: 3] with [gid: 122] [sid:
1] [rev: 1] [classification: 118] [priority: 2]#12#12 (comment)
was not found in barnyard2 signature cache, this could lead to display
inconsistency.#12 #12 (comment) To
prevent this warning, make sure that your sid-msg.map and gen-msg.map file
are up to date with the snort process logging to the spool file.#12#12 (comment)
The new inserted signature will not have its information present in the
sig_reference table. #12 #12 (comment)
Note that the message inserted in the signature table will be snort default
message "Snort Alert [gid:sid:revision]" #12#12 (comment)
You can allways update the message via a SQL query if you want it to be
displayed correctly by your favorite interface#012

The issue is that the sig_class.sig_class_id values are not starting from
1 due to the truncate of the table. barnyard2 inserts the sig_class_name
and due to auto_increment, the sig_class_id is next highest value.

When signature table is updated, the new sig_class.sig_class_id values are
not used resulting in warning above.

This is how the schema was designed more than 10 years ago and the current
database code follow those rules.
If you truncate/reset your table often, reset all auto-incrementing value
to one each time (signature,reference etc...)

-elz

[epantf]

Hi, thanks for the reply. Was pulling my hair out trying to understand why it wasn't working. Will make a note. Thanks !!