[Snort-users] barnyard & log_unified problem
bamm.visscher at ...11827...
Wed Jun 28 17:18:39 EDT 2006
I've seen multiple reports of this but never seen it myself. I cc'd
the barnyard-users list on my reply. Maybe Andrew can give us some
Maybe if someone could send a borken unified log to the snort dev team?
On 6/28/06, Devin Kowatch <dkowatch at ...13852...> wrote:
> I've had barnyard dying on me occasionally, while reading snort's
> log_unified output.
> Under snort 2.4.3 Barnyard would die with an "Invalide packet length"
> error. After some investigation, it was looking like barnyard was
> reading the file correctly (using od to dump the file and matching that
> to what barnyard was reading). So I figured the problem with either
> that snort was corrupting the file, or there was an incompatability
> between barnyard and snort. In any event, I upgraded to snort 2.6.0 to
> see if that fixed the problem.
> Now under snort 2.6.0 Barnyard is dying with "FATAL ERROR: Out of memory
> (wanted 4230306464 bytes)". Using gdb this appears to be happening in
> the same function that the "Invalid packet length" error message happens
> in (specifically LogDpReadRecord). In this case the cause appears to be
> the same as before. Which is to say that the caplen field of the
> UnifiedLog record header is way to large .
> I've seen some other reports of this problem, but haven't found any
> resolution to it. I'm hoping that is just because I haven't looked in
> the right places, but if not, then hopefully I can be of some help
> figuring out what is going wrong.
> I get the same error if I run barnyard in daemon mode using the sguil
> ouput plugin, or if I run it in one shot mode using the default config
> file. All of this is running on an Intel P4 using CentOS. My snort
> output configuration is:
> output alert_unified: filename snort.alert, limit 512
> output log_unified: filename snort.log, limit 512
> Any help would be greatly appreciated.
>  Barnyard has a sanity check which is supposed to catch excessively
> large caplens. When that sanity check fails it leads to the "Invalid
> packet length" error message. In this case the sanity check is not
> failing because barnyard is converting SnortPktHeader.caplen from an
> unsigned value to a signed value prior to performing the sanity check.
> Because the value in this case is so large, when the sanity check is
> performed, the caplen value is negative, and thus passes the sanity
> check. After that it tries to allocate a bunch of memory and fails.
> The signed/unsigned thing is probably a separate bug in barnyard, but
> I'm not completely sure where to report it. Or is this the correct
> Devin Kowatch
> Sony Computer Entertainment of America
> dkowatch at ...13852...
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
sguil - The Analyst Console for NSM
More information about the Snort-users