[Snort-users] snort 2.8.6.0 & barnyard2-1.8 problems

Eoin Miller eoin.miller at ...14586...
Wed Jun 9 15:51:07 EDT 2010


On 6/9/2010 4:54 PM, JJC wrote:
> What command are you using in your snort.conf to create the unified2 
> file output?
>
> On Wed, Jun 9, 2010 at 9:03 AM, Lawrence R. Hughes, Sr. 
> <lhughes at ...14822... <mailto:lhughes at ...14822...>> wrote:
>
>     Hi,
>     Snort 2.8.6.0 reports to the mysql database without any problems,
>     when we change snort to unified2 output,
>     barnyard2-1.8 connects to the same database, but does not report
>     anything?
>     We get the messages from barnyard: Not IPv4 datagram! ([ver:
>     0x6][len: 0x0])
>     and it discards 100.00% ????
>     Has anyone seen this problem?
>     Thanks,
>     Larry
>
>

Yea, its gotta be the type of output from Snort you are specifying. We 
run Snort 2.8.6.0 and Barnyard2 1.8 without any problems. I think I ran 
into something similiar previously when I was specifying multiple output 
types logging to the same directory and then pointed barnyard at it to 
spool from that location. You should just have this type of output 
configuration in your snort.conf:

output unified2: filename filename-unified2.log, limit 1

If you need to specify more types of output, you should put them into 
separate directories. Do you have the default output in the snort.conf 
and then just added the unified2 statement as well? I think I did that 
and had the same error once.

-- Eoin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100609/e82cff85/attachment.html>


More information about the Snort-users mailing list