[Snort-users] Barnyard 0.2.0 (build 32) dumps core and wont compile with --enable-debug

Jason security at ...5028...
Thu Nov 1 12:32:07 EDT 2007


See my other post...

"FYI:

I've added preliminary support for unified2 to SnortUnified.pm

http://www.snort.org/users/jbrvenik/Site/Blog/Entries/2007/10/21_Merry_Christmas_(or_whatever_you_like).html

short version

http://tinyurl.com/24v8xs

Pull trunk from SVN and have a go. I would be really appreciative of
feedback."

and as to what unified2 does...

It actually unifies output  :)

There is one file for all data types produced.

Currently the source defines the following.

#define UNIFIED2_EVENT 1
#define UNIFIED2_PACKET 2
#define UNIFIED2_IDS_EVENT 7
#define UNIFIED2_EVENT_EXTENDED 66
#define UNIFIED2_PERFORMANCE 67
#define UNIFIED2_PORTSCAN 68
#define UNIFIED2_IDS_EVENT_IPV6 72



Though I've only implemented handling for packets and (ids)events at the
moment.

Rob Sharp wrote:
> That brings me to a relavant question.  What is the point of unified2
> (aside from feature enhancements) if barnyarf is orphaned.
> 
> I am confused about barnyards future because the offical snort
> training still uses this but its unmaintained and things like gid
> support with mysql is broken unless you add on a 3rd party patch.
> 
> Is there some other application to take over barnyards function or is
> the unified2 format for the commerial sourcefire products.
> 
> On 10/31/07, Russell Fulton <r.fulton at ...3809...> wrote:
>> My understanding is that barnyard is basically orphaned and
>> unmaintained.  I asked about 2.8 support a while back and was told that
>> there was no plans to update barnyard.
>>
>> Russell
>>
>> Andreas Maus wrote:
>>> Hi .*!
>>>
>>> So I sent this message to the barnyard-users mailinglist but
>>> it seems that this list is dead. :/
>>>
>>> Because this is (somehow) related to snort I will resent the message
>>> to this list ...
>>>
>>> I've tried to run barnyard 0.2.0 (build 32) to process the
>>> unified alert files generated by snort 2.8.0 but unfortunately
>>> it dumps core. e.g.:
>>>
>>> debian3164m:/var/log/snort#
>>> Barnyard Version 0.2.0 (Build 32)
>>> Segmentation fault (core dumped)
>>>
>>> This happens on:
>>>
>>> debian3164m:~# cat /etc/debian_version
>>> 4.0
>>> debian3164m:~# uname -a
>>> Linux debian3164m 2.6.8-12-amd64-k8-smp #1 SMP Thu Dec 7 18:44:52 UTC 2006
>> x86_64 GNU/Linux
>>> with snort:
>>>
>>> debian3164m:~# snort -V
>>>
>>>    ,,_     -*> Snort! <*-
>>>   o"  )~   Version 2.8.0 (Build 67) inline
>>>    ''''    By Martin Roesch & The Snort Team:
>> http://www.snort.org/team.html
>>>            (C) Copyright 1998-2007 Sourcefire Inc., et al.
>>>            Using PCRE version: 6.7 04-Jul-2006
>>>
>>> Running barnyard in the dry-run mode it says:
>>>
>>> debian3164m:~# barnyard  -c /etc/snort/barnyard.conf  -d /var/log/snort -g
>> /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -R -o
>> snort.alert.1193349572
>>> Barnyard Version 0.2.0 (Build 32)
>>> Program Variables:
>>>   Batch processing mode
>>>   Config dir:    /etc/snort
>>>   Config file:   /etc/snort/barnyard.conf
>>>   Sid-msg file:  /etc/snort/sid-msg.map
>>>   Gen-msg file:  /etc/snort/gen-msg.map
>>>   Class file:    /etc/snort/classification.config
>>>   Hostname:      ypbind.de
>>>   Interface:     eth0
>>>   BPF Filter:
>>>   Log dir:       /root
>>>   Verbosity:     0
>>>   Localtime:     0
>>>   File list:
>>>     /var/log/snort/snort.alert.1193349572
>>> Output plugins enabled for 'alert' records
>>> -------------------------------------------------------
>>> OpAlertFast configured
>>>   Filename: fast.alert
>>> =======================================================
>>> Output plugins enabled for 'log' records
>>> -------------------------------------------------------
>>> OpLogDump configured
>>>   Filename: dump.log
>>> OpLogPcap configured
>>>   Filename: barnyard.pcap
>>> =======================================================
>>> Output plugins enabled for 'stream_stat' records
>>> -------------------------------------------------------
>>> None configured
>>> =======================================================
>>>
>>> So I tried to recompile with --enable-debug but this doesn't even compile:
>>>
>>> gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../.. -I../../src
>> -I/usr/include/pcap    -g -O2 -Wall -DDEBUG -ggdb -c dp_stream_stat.c
>>> dp_stream_stat.c: In function 'StreamStatDpReadFileHeader':
>>> dp_stream_stat.c:104: warning: format '%d' expects type 'int', but
>> argument 4 has type 'ssize_t'
>>> dp_stream_stat.c:104: warning: format '%d' expects type 'int', but
>> argument 5 has type 'long unsigned int'
>>> dp_stream_stat.c:112: error: 'StreamStatFileHeader' has no member named
>> 'magic'
>>> make[3]: *** [dp_stream_stat.o] Error 1
>>> make[3]: Leaving directory
>> `/home/maus/tmp/barnyard-0.2.0/src/input-plugins'
>>> make[2]: *** [all-recursive] Error 1
>>> make[2]: Leaving directory `/home/maus/tmp/barnyard-0.2.0/src'
>>> make[1]: *** [all-recursive] Error 1
>>> make[1]: Leaving directory `/home/maus/tmp/barnyard-0.2.0'
>>> make: *** [all-recursive-am] Error 2
>>>
>>> It will compile if I comment the offending line in dp_stream_stat.c:112:
>>> 112: printf(" Magic          = 0x%X\n", file_header.magic);
>>>
>>> but does that help if I compile it like this and submit the backtrace of
>> the
>>> generated core file ?
>>>
>>> Any help?
>>>
>>> So long,
>>>
>>> Andreas.
>>>
>>> P.S.: I attached my barnyard.conf to this message.
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> -------------------------------------------------------------------------
>>> This SF.net email is sponsored by: Splunk Inc.
>>> Still grepping through log files to find problems?  Stop.
>>> Now Search log events and configuration files using AJAX and a browser.
>>> Download your FREE copy of Splunk now >> http://get.splunk.com/
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc.
>> Still grepping through log files to find problems?  Stop.
>> Now Search log events and configuration files using AJAX and a browser.
>> Download your FREE copy of Splunk now >> http://get.splunk.com/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
> 
> 




More information about the Snort-users mailing list