Every once in a while you'll get a database error that will cause an operation to fail. In my case, it's the scheduled backup. The web page doesn't give you a lot go to on at first glance, but under your schedule, it should tell you more at the bottom of the calendar.
If you ssh in and run DBCheck.pl, you'll see something like this:
[Tue Feb 5 13:15:50 2019][FATAL] [missing eo reference] database [sybase],table [rule_header] column [uuid], uuid [fcd5fc7a-2889-11e9-ab40-b1c5df20061d],rev_uuid [NULL]
indicating a bad database entry for a snort rule.
This is easily fixed by typing
OmniQuery.pl -db sdb -e "delete from rule_header where uuid ='fcd5fc7a-2889-11e9-ab40-b1c5df20061d';"
Pay close attention to the table (rule_header in this case). I've also seen EOPermissions, EORevisionStore, and EOContainerStore (or all 4).
Again, this seems to only be a problem here for the Emerging Threats rules that I import, I've never seen it happen for the default rule set downloaded and installed automatically by Firepower.
TAC also likes to suggest the "slow repair,"
for i in `ls -1|egrep -v "\.BAK$"|sed 's/\....$//'|sort|uniq`; do repair_table.pl -frames $i;done
but I've never had that actually fix anything. Note here that you have to actually be in /var/lib/mysql/sfsnort for this to actually do anything despite TAC's insistence that it can be run from anywhere in the file system.
0 comments:
Post a Comment
Discuss this post!