[Snort-users] Where's Waldo?

beenph beenph at ...11827...
Tue Oct 9 02:39:41 EDT 2012


That person was probably right.

https://github.com/firnsy/barnyard2/blob/master/README

<SNIP>
In continual mode, barnyard2 will start with a location to look and a specified
file pattern and continue to process new data (and new spool files) as they
appear.

Continual mode w/ bookmarking will also use a checkpoint file (or waldo file in
the snort world) to track where it is. In the event the barnyard2 process ends
while a waldo file is in use, barnyard2 will resume processing at the last
entry as listed in the waldo file.

The "-f", "-w", and "-o" options are used to determine which mode barnyard2
will run in. It is legal for both the "-f" and "-w" options to be used on the
command line at the same time, however any data that exists in the waldo file
will override the command line data from the "-f" and "-d" options. See the
command directives section below for more detail.
Barnyard2 processing is controlled by two main types of directives: input
processors and output plugins. The input processors read information in from a
specific format ( currently the spo_unified2 output module of Snort ) and
output them in one of several ways.
</SNIP>


On Tue, Oct 9, 2012 at 1:54 AM, AllowOverride <allowoverride at ...11827...> wrote:
> WARNING: Ignoring corrupt/truncated waldofile '/tmp/waldo'
>
> i updated my barnyard2.conf, and im still getting this message.
>
> why is it corrupt?
>
> -rw-r--r--  1 root root     0 Oct  8 17:42 waldo
>
> i still think barnyard2.conf is not working right.
> someone said im not doing the research
> i followed the official howtos. go figure...
>
>
> suggestions now? thanks
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-users mailing list