[Snort-users] Barnyard 0.2.0 (build 32) dumps core and wont compile with --enable-debug

Russell Fulton r.fulton at ...3809...
Wed Oct 31 21:08:38 EDT 2007 

My understanding is that barnyard is basically orphaned and
unmaintained.  I asked about 2.8 support a while back and was told that
there was no plans to update barnyard.

Russell

Andreas Maus wrote:
> Hi .*!
>
> So I sent this message to the barnyard-users mailinglist but
> it seems that this list is dead. :/
>
> Because this is (somehow) related to snort I will resent the message
> to this list ...
>
> I've tried to run barnyard 0.2.0 (build 32) to process the
> unified alert files generated by snort 2.8.0 but unfortunately
> it dumps core. e.g.:
>
> debian3164m:/var/log/snort#
> Barnyard Version 0.2.0 (Build 32)
> Segmentation fault (core dumped)
>
> This happens on:
>
> debian3164m:~# cat /etc/debian_version
> 4.0
> debian3164m:~# uname -a
> Linux debian3164m 2.6.8-12-amd64-k8-smp #1 SMP Thu Dec 7 18:44:52 UTC 2006 x86_64 GNU/Linux
>
> with snort:
>
> debian3164m:~# snort -V
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.8.0 (Build 67) inline
>    ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
>            (C) Copyright 1998-2007 Sourcefire Inc., et al.
>            Using PCRE version: 6.7 04-Jul-2006
>
> Running barnyard in the dry-run mode it says:
>
> debian3164m:~# barnyard  -c /etc/snort/barnyard.conf  -d /var/log/snort -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -R -o snort.alert.1193349572
> Barnyard Version 0.2.0 (Build 32)
> Program Variables:
>   Batch processing mode
>   Config dir:    /etc/snort
>   Config file:   /etc/snort/barnyard.conf
>   Sid-msg file:  /etc/snort/sid-msg.map
>   Gen-msg file:  /etc/snort/gen-msg.map
>   Class file:    /etc/snort/classification.config
>   Hostname:      ypbind.de
>   Interface:     eth0
>   BPF Filter:
>   Log dir:       /root
>   Verbosity:     0
>   Localtime:     0
>   File list:
>     /var/log/snort/snort.alert.1193349572
> Output plugins enabled for 'alert' records
> -------------------------------------------------------
> OpAlertFast configured
>   Filename: fast.alert
> =======================================================
> Output plugins enabled for 'log' records
> -------------------------------------------------------
> OpLogDump configured
>   Filename: dump.log
> OpLogPcap configured
>   Filename: barnyard.pcap
> =======================================================
> Output plugins enabled for 'stream_stat' records
> -------------------------------------------------------
> None configured
> =======================================================
>
> So I tried to recompile with --enable-debug but this doesn't even compile:
>
> gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../.. -I../../src -I/usr/include/pcap    -g -O2 -Wall -DDEBUG -ggdb -c dp_stream_stat.c
> dp_stream_stat.c: In function 'StreamStatDpReadFileHeader':
> dp_stream_stat.c:104: warning: format '%d' expects type 'int', but argument 4 has type 'ssize_t'
> dp_stream_stat.c:104: warning: format '%d' expects type 'int', but argument 5 has type 'long unsigned int'
> dp_stream_stat.c:112: error: 'StreamStatFileHeader' has no member named 'magic'
> make[3]: *** [dp_stream_stat.o] Error 1
> make[3]: Leaving directory `/home/maus/tmp/barnyard-0.2.0/src/input-plugins'
> make[2]: *** [all-recursive] Error 1
> make[2]: Leaving directory `/home/maus/tmp/barnyard-0.2.0/src'
> make[1]: *** [all-recursive] Error 1
> make[1]: Leaving directory `/home/maus/tmp/barnyard-0.2.0'
> make: *** [all-recursive-am] Error 2
>
> It will compile if I comment the offending line in dp_stream_stat.c:112:
> 112: printf(" Magic          = 0x%X\n", file_header.magic);
>
> but does that help if I compile it like this and submit the backtrace of the
> generated core file ?
>
> Any help?
>
> So long,
>
> Andreas.
>
> P.S.: I attached my barnyard.conf to this message.
>
>   
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list