[Snort-users] Barnyard 0.2.0 (build 32) dumps core and wont compile with --enable-debug

Jason security at ...5028...
Wed Oct 31 21:39:00 EDT 2007


FYI:

I've added preliminary support for unified2 to SnortUnified.pm

http://www.snort.org/users/jbrvenik/Site/Blog/Entries/2007/10/21_Merry_Christmas_(or_whatever_you_like).html

short version

http://tinyurl.com/24v8xs

Pull trunk from SVN and have a go. I would be really appreciative of
feedback.

Russell Fulton wrote:
> My understanding is that barnyard is basically orphaned and
> unmaintained.  I asked about 2.8 support a while back and was told that
> there was no plans to update barnyard.
> 
> Russell
> 
> Andreas Maus wrote:
>> Hi .*!
>>
>> So I sent this message to the barnyard-users mailinglist but
>> it seems that this list is dead. :/
>>
>> Because this is (somehow) related to snort I will resent the message
>> to this list ...
>>
>> I've tried to run barnyard 0.2.0 (build 32) to process the
>> unified alert files generated by snort 2.8.0 but unfortunately
>> it dumps core. e.g.:
>>
>> debian3164m:/var/log/snort#
>> Barnyard Version 0.2.0 (Build 32)
>> Segmentation fault (core dumped)
>>
>> This happens on:
>>
>> debian3164m:~# cat /etc/debian_version
>> 4.0
>> debian3164m:~# uname -a
>> Linux debian3164m 2.6.8-12-amd64-k8-smp #1 SMP Thu Dec 7 18:44:52 UTC 2006 x86_64 GNU/Linux
>>
>> with snort:
>>
>> debian3164m:~# snort -V
>>
>>    ,,_     -*> Snort! <*-
>>   o"  )~   Version 2.8.0 (Build 67) inline
>>    ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
>>            (C) Copyright 1998-2007 Sourcefire Inc., et al.
>>            Using PCRE version: 6.7 04-Jul-2006
>>
>> Running barnyard in the dry-run mode it says:
>>
>> debian3164m:~# barnyard  -c /etc/snort/barnyard.conf  -d /var/log/snort -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -R -o snort.alert.1193349572
>> Barnyard Version 0.2.0 (Build 32)
>> Program Variables:
>>   Batch processing mode
>>   Config dir:    /etc/snort
>>   Config file:   /etc/snort/barnyard.conf
>>   Sid-msg file:  /etc/snort/sid-msg.map
>>   Gen-msg file:  /etc/snort/gen-msg.map
>>   Class file:    /etc/snort/classification.config
>>   Hostname:      ypbind.de
>>   Interface:     eth0
>>   BPF Filter:
>>   Log dir:       /root
>>   Verbosity:     0
>>   Localtime:     0
>>   File list:
>>     /var/log/snort/snort.alert.1193349572
>> Output plugins enabled for 'alert' records
>> -------------------------------------------------------
>> OpAlertFast configured
>>   Filename: fast.alert
>> =======================================================
>> Output plugins enabled for 'log' records
>> -------------------------------------------------------
>> OpLogDump configured
>>   Filename: dump.log
>> OpLogPcap configured
>>   Filename: barnyard.pcap
>> =======================================================
>> Output plugins enabled for 'stream_stat' records
>> -------------------------------------------------------
>> None configured
>> =======================================================
>>
>> So I tried to recompile with --enable-debug but this doesn't even compile:
>>
>> gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../.. -I../../src -I/usr/include/pcap    -g -O2 -Wall -DDEBUG -ggdb -c dp_stream_stat.c
>> dp_stream_stat.c: In function 'StreamStatDpReadFileHeader':
>> dp_stream_stat.c:104: warning: format '%d' expects type 'int', but argument 4 has type 'ssize_t'
>> dp_stream_stat.c:104: warning: format '%d' expects type 'int', but argument 5 has type 'long unsigned int'
>> dp_stream_stat.c:112: error: 'StreamStatFileHeader' has no member named 'magic'
>> make[3]: *** [dp_stream_stat.o] Error 1
>> make[3]: Leaving directory `/home/maus/tmp/barnyard-0.2.0/src/input-plugins'
>> make[2]: *** [all-recursive] Error 1
>> make[2]: Leaving directory `/home/maus/tmp/barnyard-0.2.0/src'
>> make[1]: *** [all-recursive] Error 1
>> make[1]: Leaving directory `/home/maus/tmp/barnyard-0.2.0'
>> make: *** [all-recursive-am] Error 2
>>
>> It will compile if I comment the offending line in dp_stream_stat.c:112:
>> 112: printf(" Magic          = 0x%X\n", file_header.magic);
>>
>> but does that help if I compile it like this and submit the backtrace of the
>> generated core file ?
>>
>> Any help?
>>
>> So long,
>>
>> Andreas.
>>
>> P.S.: I attached my barnyard.conf to this message.
>>
>>   
>> ------------------------------------------------------------------------
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc.
>> Still grepping through log files to find problems?  Stop.
>> Now Search log events and configuration files using AJAX and a browser.
>> Download your FREE copy of Splunk now >> http://get.splunk.com/
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list