[Snort-devel] [Sguil-users] Barnyard problem

Bamm Visscher bamm.visscher at ...2499...
Wed Jan 17 11:18:11 EST 2007


AFAIK, that is a bug in Snort's unified output plugin. For all
practical purposes, the file /nsm/snortsrv//snort.log.1167545618 is
corrupt. To recover, stop snort and barnyard. Then remove (or move)
all the snort.log.####### files in /nsm/snortsrv (not the ones in
/nsm/snortsrv/dailylogs/). Finally, remove your waldo.file and restart
snort and barnyard.

The downside is any alert that happened after the file became
corrupted is gone. I don't know of any fix, probably the best thing
you can do to limit the impact this can cause again is to restart
snort on a regular basis as snort will create a new unified file each
time.

Bammkkkk


On 1/17/07, Smith, Brad <brad.smith at ...2917...> wrote:
> A couple of weeks ago my barnyard portion of the sensor just quit. Not exactly sure what happened but it won't start up again. The main reason seems to be the invalid packet length as indicated in the screen capture below. Is there a way to edit this file and remove the offending line of data or how can I recover from this. The sensor is running FreeBSD 6.1.
>
> Thanks,
>
> Brad
>
> ------------------------
>
> Barnyard Version 0.2.0 (Build 32)
> Command line arguments:
>   Config file:           /usr/local/etc/nsm/barnyard.conf
>   Spool dir:             /nsm/snortsrv/
>   Gen-msg file:          gen-msg.map
>   Sid-msg file:          sid-msg.map
>   Class file:            Not specified
>   Log dir:               Not specified
>   Archive dir:           Not specified
>   File base:             snort.log
>   Waldo file:            /nsm/snortsrv/waldo.file
>   Pid file:              Not specified
>   Verbosity level:       3
>   Dry run flag:          Not Set
>   Batch mode flag:       Not Set
>   Daemon flag:           Not Set
>   New records only flag: Not Set
>   Usage flag:            Not Set
>   Version flag:          Not Set
> Config file variables:
>   Hostname:        snortsrv
>   Interface:       fxp1
>   BPF Filter:
>   Class file:      Not specified
>   Sid-msg file:    Not specified
>   Gen-msg file:    Not specified
>   Daemon flag:     Not Set
>   Localtime flag:  Not Set
> Starting data processing using information from bookmark file
> Program Variables:
>   Continual processing mode
>   Config dir:    /usr/local/etc/nsm
>   Config file:   /usr/local/etc/nsm/barnyard.conf
>   Sid-msg file:  /usr/local/etc/nsm/sid-msg.map
>   Gen-msg file:  /usr/local/etc/nsm/gen-msg.map
>   Class file:    /usr/local/etc/nsm/classification.config
>   Hostname:      snortsrv
>   Interface:     fxp1
>   BPF Filter:
>   Log dir:       /var/log/snort
>   Verbosity:     3
>   Localtime:     0
>   Spool dir:     /nsm/snortsrv/
>   Spool file:    snort.log
>   Bookmark file: /nsm/snortsrv/waldo.file
>   Record Number: 838345
>   Timet:         1167545618
>   Start at end:  0
> Opened spool file '/nsm/snortsrv//snort.log.1167545618'
> OpSguil configured
> Connected to localhost on 7735.
> Waiting for sid and cid from sensor_agent.
> Sent: SidCidRequest snortsrv
> Received: SidCidResponse 1 10202700
> Sensor ID: 1
> Last cid: 10202700
> Sensor Name: snortsrv
> Agent Port: 7735
> ERROR: Invalid packet length: 976577328
> Read error
> Fatal Error, Quitting..
> Exiting
>
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Sguil-users mailing list
> Sguil-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sguil-users
>


-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net




More information about the Snort-devel mailing list