[Snort-users] barnyard2-1.10 major problem

Lawrence R. Hughes, Sr. lhughes at ...14822...
Wed Oct 24 11:05:59 EDT 2012


Your email was about the sid-msg.map which we already have a work around 

To clarify, this message is about spooler.c which is not functioning 
correctly in barnyard2-1.10.
Do you have a patch for this or work-around?


BTW I did send you the snort.log.xxxxx files as requested.

----- Original Message ----- 
From: "beenph" <beenph at ...11827...>
To: "Lawrence R. Hughes, Sr." <lhughes at ...14822...>
Cc: <snort-users at lists.sourceforge.net>; <barnyard2-users at ...14071...>; 
"firnsy" <firnsy at ...14568...>
Sent: Wednesday, October 24, 2012 10:47 AM
Subject: Re: [Snort-users] barnyard2-1.10 major problem

> On Wed, Oct 24, 2012 at 10:12 AM, Lawrence R. Hughes, Sr.
> <lhughes at ...14822...> wrote:
>> Hi,
>> We have discovered that barnyard2-1.10 (all builds) has a major problem
>> where it will only pass one (1) packet per-alert to the database and
>> discards any further packets reported by snort!
>> We have been in touch with the author of barnyard2 and they can not offer
>> any solutions and are working on a complete re-write of spooler.c for the
>> release 2.2 of barnyard2.
> Lawrence,
> I wrote you a follow-up e-mail, and you never replied.
> But i will include it in this reply.
> <SNIP>
> On Fri, Oct 19, 2012 at 7:09 PM, beenph <beenph at ...11827...> wrote:
>> Hum how large is your unified2 file? i think what happening is that
>> you are hitting cache maximum.
>> In src/spooler.c change line 44 #define CACHED_EVENTS_MAX 256
>> and set it to 1024 or even 2048.
>> I am under the impression that what is happening is that the packet
>> you are mentionning is hitting the cache limit and
>> when the cache get recycled, your packet can't find a relative event.
>> If that dosen't work i would appreciate if you can use u2_anon ->
>> https://github.com/binf/u2_anon
>> And send us your unified2 file.
>> But for the record change that have been done in the database output
>> plugin shouldn't affect how stream packets get logged.
>> Let us know how it goes.
>> -elz
> </SNIP>
> -elz

More information about the Snort-users mailing list