[Snort-users] Barnyard2 creating lots of tcpdump files

Peter Bates peter.bates at ...15381...
Wed Nov 23 04:46:50 EST 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all...

I apologise this isn't strictly a Snort issue - but a problem with
Barnyard2.

IDS is writing 'unified2.alert.xxx' fine as expected - file updates
happily.

My barnyard2.conf specifies:
output alert_syslog: LOG_LOCAL1
output log_tcpdump: tcpdump.log
output database: log, mysql, dbname=xyzzy host=localhost
user=plugh password=plover detail=full

The problem I'm seeing which is new to me is that
tcpdump.log files are being made almost every minute:

- -rw-------. 1 root     root      581 Nov 23 09:43 tcpdump.log.1322041395
- -rw-------. 1 root     root     1.6K Nov 23 09:42 tcpdump.log.1322041364
- -rw-------. 1 root     root      328 Nov 23 09:42 tcpdump.log.1322041362
- -rw-------. 1 root     root      536 Nov 23 09:42 tcpdump.log.1322041363
- -rw-------. 1 root     root     1.1K Nov 23 09:42 tcpdump.log.1322041356
- -rw-------. 1 root     root      125 Nov 23 09:42 tcpdump.log.1322041353
- -rw-------. 1 root     root     2.1K Nov 23 09:42 tcpdump.log.1322041345

I'm running Barnyard2 at the moment foregrounded and with -v but other
than the occasional:
NULL header length < captured len! (0 bytes)
NULL header length < captured len! (0 bytes)

It shows no other errors.

Has anyone else ever seen this?

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division	    Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJOzMEKAAoJELhVoVpEMS6R+sQH+gNSOOFmEMshX7LFLT9uwDXW
rTKR6/Tl4Tt6AijSGyhByc4yG/Dp+cfNXxUSiXtD19aPlq3wyDqowv5hXAtwKWdV
nCJgHc7B5+Fvc3HczjkRB8B6nu1DZtRT7bF+sc4fbfTFq171iOtZhp0gBbPPKyU1
Dm3eS25NavwAzE0HEsugWSm/KsqVfkHexOGCrVN65itffLci82ePGqoCaCUHpiGa
wvoddYJVdWhgRvxcT++r6aIvXwIkXgwATubyrAW/q39VYBwmmX4dhYNxdjlSh4+C
5+wyf8iQGphQbkSor4X0CHCEW8GOxYkuqabah0q+QnHQTyLGQwow+RiSHpzBBe8=
=u6xt
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list