[Snort-users] Barnyard 0.2.0 (build 32) dumps core and wont compile with --enable-debug

Rob Sharp robertsharp at ...11827...
Thu Nov 1 09:15:56 EDT 2007


That brings me to a relavant question.  What is the point of unified2
(aside from feature enhancements) if barnyarf is orphaned.

I am confused about barnyards future because the offical snort
training still uses this but its unmaintained and things like gid
support with mysql is broken unless you add on a 3rd party patch.

Is there some other application to take over barnyards function or is
the unified2 format for the commerial sourcefire products.

On 10/31/07, Russell Fulton <r.fulton at ...3809...> wrote:
> My understanding is that barnyard is basically orphaned and
> unmaintained.  I asked about 2.8 support a while back and was told that
> there was no plans to update barnyard.
>
> Russell
>
> Andreas Maus wrote:
> > Hi .*!
> >
> > So I sent this message to the barnyard-users mailinglist but
> > it seems that this list is dead. :/
> >
> > Because this is (somehow) related to snort I will resent the message
> > to this list ...
> >
> > I've tried to run barnyard 0.2.0 (build 32) to process the
> > unified alert files generated by snort 2.8.0 but unfortunately
> > it dumps core. e.g.:
> >
> > debian3164m:/var/log/snort#
> > Barnyard Version 0.2.0 (Build 32)
> > Segmentation fault (core dumped)
> >
> > This happens on:
> >
> > debian3164m:~# cat /etc/debian_version
> > 4.0
> > debian3164m:~# uname -a
> > Linux debian3164m 2.6.8-12-amd64-k8-smp #1 SMP Thu Dec 7 18:44:52 UTC 2006
> x86_64 GNU/Linux
> >
> > with snort:
> >
> > debian3164m:~# snort -V
> >
> >    ,,_     -*> Snort! <*-
> >   o"  )~   Version 2.8.0 (Build 67) inline
> >    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/team.html
> >            (C) Copyright 1998-2007 Sourcefire Inc., et al.
> >            Using PCRE version: 6.7 04-Jul-2006
> >
> > Running barnyard in the dry-run mode it says:
> >
> > debian3164m:~# barnyard  -c /etc/snort/barnyard.conf  -d /var/log/snort -g
> /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -R -o
> snort.alert.1193349572
> > Barnyard Version 0.2.0 (Build 32)
> > Program Variables:
> >   Batch processing mode
> >   Config dir:    /etc/snort
> >   Config file:   /etc/snort/barnyard.conf
> >   Sid-msg file:  /etc/snort/sid-msg.map
> >   Gen-msg file:  /etc/snort/gen-msg.map
> >   Class file:    /etc/snort/classification.config
> >   Hostname:      ypbind.de
> >   Interface:     eth0
> >   BPF Filter:
> >   Log dir:       /root
> >   Verbosity:     0
> >   Localtime:     0
> >   File list:
> >     /var/log/snort/snort.alert.1193349572
> > Output plugins enabled for 'alert' records
> > -------------------------------------------------------
> > OpAlertFast configured
> >   Filename: fast.alert
> > =======================================================
> > Output plugins enabled for 'log' records
> > -------------------------------------------------------
> > OpLogDump configured
> >   Filename: dump.log
> > OpLogPcap configured
> >   Filename: barnyard.pcap
> > =======================================================
> > Output plugins enabled for 'stream_stat' records
> > -------------------------------------------------------
> > None configured
> > =======================================================
> >
> > So I tried to recompile with --enable-debug but this doesn't even compile:
> >
> > gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../.. -I../../src
> -I/usr/include/pcap    -g -O2 -Wall -DDEBUG -ggdb -c dp_stream_stat.c
> > dp_stream_stat.c: In function 'StreamStatDpReadFileHeader':
> > dp_stream_stat.c:104: warning: format '%d' expects type 'int', but
> argument 4 has type 'ssize_t'
> > dp_stream_stat.c:104: warning: format '%d' expects type 'int', but
> argument 5 has type 'long unsigned int'
> > dp_stream_stat.c:112: error: 'StreamStatFileHeader' has no member named
> 'magic'
> > make[3]: *** [dp_stream_stat.o] Error 1
> > make[3]: Leaving directory
> `/home/maus/tmp/barnyard-0.2.0/src/input-plugins'
> > make[2]: *** [all-recursive] Error 1
> > make[2]: Leaving directory `/home/maus/tmp/barnyard-0.2.0/src'
> > make[1]: *** [all-recursive] Error 1
> > make[1]: Leaving directory `/home/maus/tmp/barnyard-0.2.0'
> > make: *** [all-recursive-am] Error 2
> >
> > It will compile if I comment the offending line in dp_stream_stat.c:112:
> > 112: printf(" Magic          = 0x%X\n", file_header.magic);
> >
> > but does that help if I compile it like this and submit the backtrace of
> the
> > generated core file ?
> >
> > Any help?
> >
> > So long,
> >
> > Andreas.
> >
> > P.S.: I attached my barnyard.conf to this message.
> >
> >
> > ------------------------------------------------------------------------
> >
> > -------------------------------------------------------------------------
> > This SF.net email is sponsored by: Splunk Inc.
> > Still grepping through log files to find problems?  Stop.
> > Now Search log events and configuration files using AJAX and a browser.
> > Download your FREE copy of Splunk now >> http://get.splunk.com/
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>


-- 
Robert Sharp
robertsharp at ...11827...




More information about the Snort-users mailing list