[Snort-users] Barnyard 'Invalid packet length' error

Martin Roesch roesch at ...1935...
Mon Aug 2 21:18:03 EDT 2004


What platform is this on?  x86?

You probably don't need the -X switch in there since you're logging in 
binary (unified) mode.

I looked at the hexdump you listed there, it looks like the size is 
correct in the SnortPktHeader so something else is wrong.  Any chance 
you can send a sample unified file along for me to take a look at?

      -Marty


On Jul 26, 2004, at 3:54 PM, Wolf, Brian wrote:

> I'm trying to get barnyard working with snort, but it always fails 
> with an "Invalid packet length" error.  My setup is:
>
>         RedHat Enterprise AS 3
>          snort 2.1.2
>          barnyard 0.2.0
>          mysql 12.22 Distrib 4.0.18
>
>
>
> Snort, barnyard, and mysql were all built from source and are running 
> on the same machine.  Snort can successfully log directly to mySql if 
> I use the "output database" option.
>
>
>
>
> Snort output config:
>
> output alert_unified: filename snort.binalert, limit 128
> output log_unified: filename snort.binlog, limit 128
>
>
>
>
> Snort command line:
>
> /usr/local/snort/bin/snort -i eth0 -D -X -o -c 
> /usr/local/snort/snort.conf -l /usr/local/snort/log
>
>
>
>
> Barnyard config:
>
> config hostname: localhost
> config interface: lo
> config filter: not port 22
> output log_acid_db: mysql, database snort, server localhost, user 
> snort, password <passwd>, detail full
>
>
>
> Barnyard command line:
>
> /usr/local/snort/bin/barnyard -c /usr/local/snort/barnyard.conf \
>                               -d /usr/local/snort/log \
>                               -w /usr/local/snort/bin/waldo.chk \
>                               -f snort.binlog \
>                               -g /usr/local/snort/rules/gen-msg.map \
>                               -s /usr/local/snort/rules/sid-msg.map
>
>
>
> Run results:
>
> /usr/local/snort/bin/barnyard -c /usr/local/snort/barnyard.conf -d 
> /usr/local/snort/log -w /usr/local/snort/bin/waldo.chk -f snort.binlog 
> \
>
>       -g /usr/local/snort/rules/gen-msg.map -s 
> /usr/local/snort/rules/sid-msg.map
> Barnyard Version 0.2.0 (Build 32)
> Opened spool file '/usr/local/snort/log/snort.binlog.1090597145'
> ERROR: Invalid packet length: 299008
> Read error
> Fatal Error, Quitting..
> Exiting
> [
>
>
>
> The number listed as the invalid packet length changes from run to 
> run, suggesting that either Snort isn't writing the packet size or 
> that Barnyard isn't looking for it in the right location.
>
> Here is the beginning of the log file listed in the above run, 
> although the problem occurs with any log file
>
>         od -x  /usr/local/snort/log/snort.binlog.1090597145
>
> 0000000 1080 dead 0001 0002 b9b0 ffff 0000 0000
> 0000020 05ea 0000 0001 0000 0001 0000 01d2 0000
> 0000040 0001 0000 0004 0000 0002 0000 0005 0000
> 0000060 0005 0000 3134 4101 3a4a 000e 0000 8000
> 0000100 3134 4101 3a4a 000e 004a 0000 004a 0000
> 0000120 0400 59dc 08da 0600 5cd7 c5e9 0008 0045
> 0000140 3c00 da8f 0000 0120 2fc1 c7a5 92fa c7a5
> 0000160 9603 0008 5d07 0003 0145 4241 4443 4645
> 0000200 4847 4a49 4c4b 4e4d 504f 5251 5453 5655
> 0000220 4157 4342 4544 4746 4948 0001 0000 01d2
> 0000240 0000 0001 0000 0104 0000 1200 0004 0600
> 0000260 0000 1b00 0000 0200 0000 2f00 0000 2f00
> 0000300 0000 4f00 0131 1d41 031d 9000 0004 4f80
> 0000320 0131 1d41 031d ee00 0000 ee00 0000 0000
> 0000340 c708 0afa 009e b302 e75f 083e 4500 0000
> 0000360 abe0 0094 3b00 8006 42a5 62a9 a51d 08c7
> 0000400 0d51 0021 a650 ae84 d90b cbdb 5087 ff18
> 0000420 daff 00ac 5000 4f52 4650 4e49 2044 732f
> 0000440 6863 6f6f 736c 4820 5454 2f50 2e31 0d31
> 0000460 440a 7065 6874 203a 0d30 740a 6172 736e
> 0000500 616c 6574 203a 0d66 550a 6573 2d72 6741
> 0000520 6e65 3a74 4d20 6369 6f72 6f73 7466 572d
>
>
>
>
>
> Any suggestions?
>
>
>
> - Brian
>
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-users mailing list