[Snort-users] Barnyard2 creating lots of tcpdump files

beenph beenph at ...11827...
Wed Nov 23 13:20:28 EST 2011


On Wed, Nov 23, 2011 at 4:46 AM, Peter Bates <peter.bates at ...15381...> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hello all...
>
> I apologise this isn't strictly a Snort issue - but a problem with
> Barnyard2.
>
> IDS is writing 'unified2.alert.xxx' fine as expected - file updates
> happily.
>
Greetings peter,

We have a mailing list for barnyard2 which you can use for barnyard2
related issue :  barnyard2-users at ...15441...

What type of unified2 output mode do you use in snort?


> My barnyard2.conf specifies:
> output alert_syslog: LOG_LOCAL1
> output log_tcpdump: tcpdump.log
> output database: log, mysql, dbname=xyzzy host=localhost
> user=plugh password=plover detail=full
>


> The problem I'm seeing which is new to me is that
> tcpdump.log files are being made almost every minute:
>
> - -rw-------. 1 root     root      581 Nov 23 09:43 tcpdump.log.1322041395
> - -rw-------. 1 root     root     1.6K Nov 23 09:42 tcpdump.log.1322041364
> - -rw-------. 1 root     root      328 Nov 23 09:42 tcpdump.log.1322041362
> - -rw-------. 1 root     root      536 Nov 23 09:42 tcpdump.log.1322041363
> - -rw-------. 1 root     root     1.1K Nov 23 09:42 tcpdump.log.1322041356
> - -rw-------. 1 root     root      125 Nov 23 09:42 tcpdump.log.1322041353
> - -rw-------. 1 root     root     2.1K Nov 23 09:42 tcpdump.log.1322041345
>
> I'm running Barnyard2 at the moment foregrounded and with -v but other
> than the occasional:
> NULL header length < captured len! (0 bytes)
> NULL header length < captured len! (0 bytes)
>
> It shows no other errors.
>
> Has anyone else ever seen this?
>
> - --
> Peter Bates
> Senior Computer Security Officer    Phone: +44(0)2076792049
> Information Services Division       Internal Ext: 32049
> University College London
> London WC1E 6BT
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJOzMEKAAoJELhVoVpEMS6R+sQH+gNSOOFmEMshX7LFLT9uwDXW
> rTKR6/Tl4Tt6AijSGyhByc4yG/Dp+cfNXxUSiXtD19aPlq3wyDqowv5hXAtwKWdV
> nCJgHc7B5+Fvc3HczjkRB8B6nu1DZtRT7bF+sc4fbfTFq171iOtZhp0gBbPPKyU1
> Dm3eS25NavwAzE0HEsugWSm/KsqVfkHexOGCrVN65itffLci82ePGqoCaCUHpiGa
> wvoddYJVdWhgRvxcT++r6aIvXwIkXgwATubyrAW/q39VYBwmmX4dhYNxdjlSh4+C
> 5+wyf8iQGphQbkSor4X0CHCEW8GOxYkuqabah0q+QnHQTyLGQwow+RiSHpzBBe8=
> =u6xt
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure
> contains a definitive record of customers, application performance,
> security threats, fraudulent activity, and more. Splunk takes this
> data and makes sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-novd2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>




More information about the Snort-users mailing list