[Snort-users] barnyard & log_unified problem

Devin Kowatch dkowatch at ...13852...
Wed Jun 28 16:46:08 EDT 2006


Hi,

I've had barnyard dying on me occasionally, while reading snort's
log_unified output.  

Under snort 2.4.3 Barnyard would die with an "Invalide packet length"
error.  After some investigation, it was looking like barnyard was
reading the file correctly (using od to dump the file and matching that
to what barnyard was reading).  So I figured the problem with either
that snort was corrupting the file, or there was an incompatability
between barnyard and snort.  In any event, I upgraded to snort 2.6.0 to
see if that fixed the problem.

Now under snort 2.6.0 Barnyard is dying with "FATAL ERROR: Out of memory
(wanted 4230306464 bytes)".  Using gdb this appears to be happening in
the same function that the "Invalid packet length" error message happens
in (specifically LogDpReadRecord).  In this case the cause appears to be
the same as before.  Which is to say that the caplen field of the
UnifiedLog record header is way to large [1].  

I've seen some other reports of this problem, but haven't found any
resolution to it.  I'm hoping that is just because I haven't looked in
the right places, but if not, then hopefully I can be of some help
figuring out what is going wrong.

I get the same error if I run barnyard in daemon mode using the sguil
ouput plugin, or if I run it in one shot mode using the default config
file.  All of this is running on an Intel P4 using CentOS. My snort
output configuration is:

    output alert_unified: filename snort.alert, limit 512
    output log_unified: filename snort.log, limit 512

Any help would be greatly appreciated.
Thanks,
-devink



[1] Barnyard has a sanity check which is supposed to catch excessively
large caplens.  When that sanity check fails it leads to the "Invalid
packet length" error message.  In this case the sanity check is not
failing because barnyard is converting SnortPktHeader.caplen from an
unsigned value to a signed value prior to performing the sanity check.
Because the value in this case is so large, when the sanity check is
performed, the caplen value is negative, and thus passes the sanity
check.  After that it tries to allocate a bunch of memory and fails.
The signed/unsigned thing is probably a separate bug in barnyard, but
I'm not completely sure where to report it.  Or is this the correct
forum?

-- 
Devin Kowatch
Sony Computer Entertainment of America
dkowatch at ...13852...




More information about the Snort-users mailing list