[Snort-devel] Barnyard problem

Dirk Geschke dirk at ...972...
Wed Jan 17 16:16:00 EST 2007


Hi

> AFAIK, that is a bug in Snort's unified output plugin. For all
> practical purposes, the file /nsm/snortsrv//snort.log.1167545618 is
> corrupt. To recover, stop snort and barnyard. Then remove (or move)
> all the snort.log.####### files in /nsm/snortsrv (not the ones in
> /nsm/snortsrv/dailylogs/). Finally, remove your waldo.file and restart
> snort and barnyard.

yes and no. If snort is restarted it will append all alerts to 
the last unified output plugin. But all data is not written in
one process, there are several parts like header, data and
the pcap data. If snort now fails to write all packets then
it may miss one part of the write processes and barnyard will
misinterpret the next packet as part of the old one.

So for example barnyard will read the header of the next
alert as the pcap data which leads to invalid sizes.

We had similar problems with FLoP and the solution we choosed
was to append marker headers to the data to be sure to read
the right part. Maybe this would be a solution for the unified
output plugin, too. But this requires changes in the output
plugin and in barnyard. Finally this would be incompatible to
the old versions...

Best regards

Dirk 




More information about the Snort-devel mailing list