[Snort-users] Barnyard 'Invalid packet length' error

Wolf, Brian Brian.Wolf at ...12180...
Mon Jul 26 12:53:08 EDT 2004


I'm trying to get barnyard working with snort, but it always fails with
an "Invalid packet length" error.  My setup is:

	RedHat Enterprise AS 3
	snort 2.1.2
	barnyard 0.2.0
	mysql 12.22 Distrib 4.0.18


Snort, barnyard, and mysql were all built from source and are running on
the same machine.  Snort can successfully log directly to mySql if I use
the "output database" option.



Snort output config:

		output alert_unified: filename snort.binalert, limit 128
		output log_unified: filename snort.binlog, limit 128



Snort command line:

		/usr/local/snort/bin/snort -i eth0 -D -X -o -c
/usr/local/snort/snort.conf -l /usr/local/snort/log



Barnyard config:

		config hostname: localhost
		config interface: lo
		config filter: not port 22
		output log_acid_db: mysql, database snort, server
localhost, user snort, password <passwd>, detail full


Barnyard command line:

		/usr/local/snort/bin/barnyard -c
/usr/local/snort/barnyard.conf \
		                              -d /usr/local/snort/log \
		                              -w
/usr/local/snort/bin/waldo.chk \
		                              -f snort.binlog \
		                              -g
/usr/local/snort/rules/gen-msg.map \
		                              -s
/usr/local/snort/rules/sid-msg.map


Run results:

		/usr/local/snort/bin/barnyard -c
/usr/local/snort/barnyard.conf -d /usr/local/snort/log -w
/usr/local/snort/bin/waldo.chk -f snort.binlog \ 
		     -g /usr/local/snort/rules/gen-msg.map -s
/usr/local/snort/rules/sid-msg.map
		Barnyard Version 0.2.0 (Build 32)
		Opened spool file
'/usr/local/snort/log/snort.binlog.1090597145'
		ERROR: Invalid packet length: 299008
		Read error
		Fatal Error, Quitting..
		Exiting
		[


The number listed as the invalid packet length changes from run to run,
suggesting that either Snort isn't writing the packet size or that
Barnyard isn't looking for it in the right location.

Here is the beginning of the log file listed in the above run, although
the problem occurs with any log file

	od -x  /usr/local/snort/log/snort.binlog.1090597145

		0000000 1080 dead 0001 0002 b9b0 ffff 0000 0000
		0000020 05ea 0000 0001 0000 0001 0000 01d2 0000
		0000040 0001 0000 0004 0000 0002 0000 0005 0000
		0000060 0005 0000 3134 4101 3a4a 000e 0000 8000
		0000100 3134 4101 3a4a 000e 004a 0000 004a 0000
		0000120 0400 59dc 08da 0600 5cd7 c5e9 0008 0045
		0000140 3c00 da8f 0000 0120 2fc1 c7a5 92fa c7a5
		0000160 9603 0008 5d07 0003 0145 4241 4443 4645
		0000200 4847 4a49 4c4b 4e4d 504f 5251 5453 5655
		0000220 4157 4342 4544 4746 4948 0001 0000 01d2
		0000240 0000 0001 0000 0104 0000 1200 0004 0600
		0000260 0000 1b00 0000 0200 0000 2f00 0000 2f00
		0000300 0000 4f00 0131 1d41 031d 9000 0004 4f80
		0000320 0131 1d41 031d ee00 0000 ee00 0000 0000
		0000340 c708 0afa 009e b302 e75f 083e 4500 0000
		0000360 abe0 0094 3b00 8006 42a5 62a9 a51d 08c7
		0000400 0d51 0021 a650 ae84 d90b cbdb 5087 ff18
		0000420 daff 00ac 5000 4f52 4650 4e49 2044 732f
		0000440 6863 6f6f 736c 4820 5454 2f50 2e31 0d31
		0000460 440a 7065 6874 203a 0d30 740a 6172 736e
		0000500 616c 6574 203a 0d66 550a 6573 2d72 6741
		0000520 6e65 3a74 4d20 6369 6f72 6f73 7466 572d




Any suggestions?


- Brian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040726/d3dd3fa9/attachment.html>


More information about the Snort-users mailing list