[Snort-users] Barnyard 0.2.0 (build 32) dumps core and wont compile with --enable-debug

Andreas Maus maus at ...13999...
Tue Oct 30 08:43:27 EDT 2007


Hi .*!

So I sent this message to the barnyard-users mailinglist but
it seems that this list is dead. :/

Because this is (somehow) related to snort I will resent the message
to this list ...

I've tried to run barnyard 0.2.0 (build 32) to process the
unified alert files generated by snort 2.8.0 but unfortunately
it dumps core. e.g.:

debian3164m:/var/log/snort#
Barnyard Version 0.2.0 (Build 32)
Segmentation fault (core dumped)

This happens on:

debian3164m:~# cat /etc/debian_version
4.0
debian3164m:~# uname -a
Linux debian3164m 2.6.8-12-amd64-k8-smp #1 SMP Thu Dec 7 18:44:52 UTC 2006 x86_64 GNU/Linux

with snort:

debian3164m:~# snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.0 (Build 67) inline
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2007 Sourcefire Inc., et al.
           Using PCRE version: 6.7 04-Jul-2006

Running barnyard in the dry-run mode it says:

debian3164m:~# barnyard  -c /etc/snort/barnyard.conf  -d /var/log/snort -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -R -o snort.alert.1193349572
Barnyard Version 0.2.0 (Build 32)
Program Variables:
  Batch processing mode
  Config dir:    /etc/snort
  Config file:   /etc/snort/barnyard.conf
  Sid-msg file:  /etc/snort/sid-msg.map
  Gen-msg file:  /etc/snort/gen-msg.map
  Class file:    /etc/snort/classification.config
  Hostname:      ypbind.de
  Interface:     eth0
  BPF Filter:
  Log dir:       /root
  Verbosity:     0
  Localtime:     0
  File list:
    /var/log/snort/snort.alert.1193349572
Output plugins enabled for 'alert' records
-------------------------------------------------------
OpAlertFast configured
  Filename: fast.alert
=======================================================
Output plugins enabled for 'log' records
-------------------------------------------------------
OpLogDump configured
  Filename: dump.log
OpLogPcap configured
  Filename: barnyard.pcap
=======================================================
Output plugins enabled for 'stream_stat' records
-------------------------------------------------------
None configured
=======================================================

So I tried to recompile with --enable-debug but this doesn't even compile:

gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../.. -I../../src -I/usr/include/pcap    -g -O2 -Wall -DDEBUG -ggdb -c dp_stream_stat.c
dp_stream_stat.c: In function 'StreamStatDpReadFileHeader':
dp_stream_stat.c:104: warning: format '%d' expects type 'int', but argument 4 has type 'ssize_t'
dp_stream_stat.c:104: warning: format '%d' expects type 'int', but argument 5 has type 'long unsigned int'
dp_stream_stat.c:112: error: 'StreamStatFileHeader' has no member named 'magic'
make[3]: *** [dp_stream_stat.o] Error 1
make[3]: Leaving directory `/home/maus/tmp/barnyard-0.2.0/src/input-plugins'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/home/maus/tmp/barnyard-0.2.0/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/maus/tmp/barnyard-0.2.0'
make: *** [all-recursive-am] Error 2

It will compile if I comment the offending line in dp_stream_stat.c:112:
112: printf(" Magic          = 0x%X\n", file_header.magic);

but does that help if I compile it like this and submit the backtrace of the
generated core file ?

Any help?

So long,

Andreas.

P.S.: I attached my barnyard.conf to this message.

-- 
"Things that try to look like things often do
 look more like things than things. Well-known fact."
Granny Weatherwax - "Wyrd sisters"
-------------- next part --------------
#-------------------------------------------------------------
#   http://www.snort.org    Barnyard 0.1.0 configuration file
#          Contact: snort-barnyard at lists.sourceforge.net
#-------------------------------------------------------------
# $Id: barnyard.conf,v 1.9 2004/05/01 16:43:29 andrewbaker Exp $
########################################################
# Currently you want to do two things in here: turn on 
# available data processors and turn on output plugins.
# The data processors (dp's) and output plugin's (op's)
# automatically associate with each other by type and
# are automatically selected at run time depending on 
# the type of file you try to load.
########################################################

# Step 1: configuration declarations
# To keep from having a commandline that uses every letter in the alphabet
# most configuration options are set here

# enable daemon mode
# config daemon

# use localtime instead of UTC (*not* recommended because of timewarps)
#config localtime

# set the hostname (currently only used for the acid db output plugin)
config hostname: ypbind.de

# set the interface name (currently only used for the acid db output plugin)
config interface: eth0

# set the filter (currently only used for the acid db output plugin)
config filter: 

# Step 2: setup the output plugins

# alert_fast
#-----------------------------
# Converts data from the dp_alert plugin into an approximation of Snort's 
# "fast alert" mode.  Argument: <filename>

output alert_fast

# log_dump
#-----------------------------
# Converts data from the dp_log plugin into an approximation of Snort's 
# "ASCII packet dump" mode.  Argument: <filename>

output log_dump

# alert_csv (experimental)
#---------------------------
# Creates a CSV output file of alerts (optionally using a user specified format)
# Arguments:  filepath [format]
#
# The format is a comma-seperated list of fields to output (no spaces allowed)
# The available fields are:
#   sig_gen         - signature generator
#   sig_id          - signature id
#   sig_rev         - signatrue revision
#   sid             - SID triplet
#   class           - class id
#   classname       - textual name of class
#   priority        - priority id
#   event_id        - event id
#   event_reference - event reference
#   ref_tv_sec      - reference seconds
#   ref_tv_usec     - reference microseconds
#   tv_sec          - event seconds
#   tv_usec         - event microseconds
#   timestamp       - prettified timestamp (2001-01-01 01:02:03) in UTC
#   src             - src address as a u_int32_t
#   srcip           - src address as a dotted quad
#   dst             - dst address as a u_int32_t
#   dstip           - dst address as a dotted quad
#   sport_itype     - source port or ICMP type (or 0)
#   sport           - source port (if UDP or TCP)
#   itype           - ICMP type (if ICMP)
#   dport_icode     - dest port or ICMP code (or 0)
#   dport           - dest port
#   icode           - ICMP code (if ICMP)
#   proto           - protocol number
#   protoname       - protocol name
#   flags           - flags from UnifiedAlertRecord
#   msg             - message text
#   hostname        - hostname (from barnyard.conf)
#   interface       - interface (from barnyard.conf)
#
# Examples:
#   output alert_csv: /var/log/snort/csv.out
#   output alert_csv: /var/log/snort/csv.out  timestamp,msg,srcip,sport,dstip,dport,protoname,itype,icode
#   output alert_csv: csv.out  timestamp,msg,srcip,sport,dstip,dport,protoname,itype,icode


# alert_syslog
#-----------------------------
# Converts data from the alert stream into an approximation of Snort's 
# syslog alert output plugin.  Same arguments as the output plugin in snort.

#output alert_syslog

# alert_syslog2
#-------------------------------
# Generates a syslog alert.  This supports considerably more features than
# the original syslog output plugin.
# 
#output alert_syslog2  LOG_AUTH LOG_ALERT

# log_pcap
#-----------------------------
# Converts data from the dp_log plugin into standard pcap format 
# Argument: <filename>

output log_pcap

# acid_db
#-------------------------------
# Available as both a log and alert output plugin.  Used to output data into
# the db schema used by ACID
# Arguments: 
#      $db_flavor           - what flavor of database (ie, mysql)
#      sensor_id $sensor_id - integer sensor id to insert data as
#      database $database   - name of the database
#      server $server       - server the database is located on
#      user $user           - username to connect to the database as
#      password $password   - password for database authentication
# output alert_acid_db: mysql, sensor_id 1, database snort, server localhost, user root
# output log_acid_db: mysql, database snort, server localhost, user root, detail full
        
# sguil
#----
# This output plug-in is used to generate output for use with the SGUIL user
# interface.  To learn more about SGUIL, go to http://sguil.sourceforge.net
#
#output sguil: mysql, sensor_id 0, database sguildb, server syn, user root,\
#    password dbpasswd, sguild_host syn, sguild_port 7736


    

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20071030/ebca88f0/attachment.sig>


More information about the Snort-users mailing list