[Snort-users] barnyard & log_unified problem

Bamm Visscher bamm.visscher at ...11827...
Wed Jun 28 17:18:39 EDT 2006


I've seen multiple reports of this but never seen it myself. I cc'd
the barnyard-users list on my reply. Maybe Andrew can give us some

Maybe if someone could send a borken unified log to the snort dev team?


On 6/28/06, Devin Kowatch <dkowatch at ...13852...> wrote:
> Hi,
> I've had barnyard dying on me occasionally, while reading snort's
> log_unified output.
> Under snort 2.4.3 Barnyard would die with an "Invalide packet length"
> error.  After some investigation, it was looking like barnyard was
> reading the file correctly (using od to dump the file and matching that
> to what barnyard was reading).  So I figured the problem with either
> that snort was corrupting the file, or there was an incompatability
> between barnyard and snort.  In any event, I upgraded to snort 2.6.0 to
> see if that fixed the problem.
> Now under snort 2.6.0 Barnyard is dying with "FATAL ERROR: Out of memory
> (wanted 4230306464 bytes)".  Using gdb this appears to be happening in
> the same function that the "Invalid packet length" error message happens
> in (specifically LogDpReadRecord).  In this case the cause appears to be
> the same as before.  Which is to say that the caplen field of the
> UnifiedLog record header is way to large [1].
> I've seen some other reports of this problem, but haven't found any
> resolution to it.  I'm hoping that is just because I haven't looked in
> the right places, but if not, then hopefully I can be of some help
> figuring out what is going wrong.
> I get the same error if I run barnyard in daemon mode using the sguil
> ouput plugin, or if I run it in one shot mode using the default config
> file.  All of this is running on an Intel P4 using CentOS. My snort
> output configuration is:
>     output alert_unified: filename snort.alert, limit 512
>     output log_unified: filename snort.log, limit 512
> Any help would be greatly appreciated.
> Thanks,
> -devink
> [1] Barnyard has a sanity check which is supposed to catch excessively
> large caplens.  When that sanity check fails it leads to the "Invalid
> packet length" error message.  In this case the sanity check is not
> failing because barnyard is converting SnortPktHeader.caplen from an
> unsigned value to a signed value prior to performing the sanity check.
> Because the value in this case is so large, when the sanity check is
> performed, the caplen value is negative, and thus passes the sanity
> check.  After that it tries to allocate a bunch of memory and fails.
> The signed/unsigned thing is probably a separate bug in barnyard, but
> I'm not completely sure where to report it.  Or is this the correct
> forum?
> --
> Devin Kowatch
> Sony Computer Entertainment of America
> dkowatch at ...13852...
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

sguil - The Analyst Console for NSM

More information about the Snort-users mailing list