[Snort-users] barnyard2-1.10 major problem

beenph beenph at ...11827...
Wed Oct 24 10:47:33 EDT 2012

On Wed, Oct 24, 2012 at 10:12 AM, Lawrence R. Hughes, Sr.
<lhughes at ...14822...> wrote:
> Hi,
> We have discovered that barnyard2-1.10 (all builds) has a major problem
> where it will only pass one (1) packet per-alert to the database and
> discards any further packets reported by snort!
> We have been in touch with the author of barnyard2 and they can not offer
> any solutions and are working on a complete re-write of spooler.c for the
> release 2.2 of barnyard2.

I wrote you a follow-up e-mail, and you never replied.

But i will include it in this reply.
On Fri, Oct 19, 2012 at 7:09 PM, beenph <beenph at ...11827...> wrote:
> Hum how large is your unified2 file? i think what happening is that
> you are hitting cache maximum.
> In src/spooler.c change line 44 #define CACHED_EVENTS_MAX 256
> and set it to 1024 or even 2048.
> I am under the impression that what is happening is that the packet
> you are mentionning is hitting the cache limit and
> when the cache get recycled, your packet can't find a relative event.
> If that dosen't work i would appreciate if you can use u2_anon ->
> https://github.com/binf/u2_anon
> And send us your unified2 file.
> But for the record change that have been done in the database output
> plugin shouldn't affect how stream packets get logged.
> Let us know how it goes.
> -elz



More information about the Snort-users mailing list