[Snort-users] WARNING: Can't extract timestamp extension from 'snort.unified2 limit 128.1373443078'using base 'snort.unified2'

Kaushal Shriyan kaushalshriyan at ...11827...
Thu Jul 11 07:35:54 EDT 2013


On Thu, Jul 11, 2013 at 4:54 PM, Kaushal Shriyan
<kaushalshriyan at ...11827...>wrote:

> Hi,
>
> I am running snort version 2.9.5 and barnyard2 version 2.1.13 on CentOS
> 6.4. Below are the details of the snort and barnyard2 versions running on
> the box.
>
> *# /usr/sbin/snort --version*
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.5 GRE (Build 103)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>            Using libpcap version 1.0.0
>            Using PCRE version: 7.8 2008-09-05
>            Using ZLIB version: 1.2.3
>
> *# /usr/bin/barnyard2 --version*
>
>   ______   -*> Barnyard2 <*-
>  / ,,_  \  Version 2.1.13 (Build 327)
>  |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
>  + '''' +  (C) Copyright 2008-2013 Ian Firns <firnsy at ...14568...>
> #
>
> I am getting lot of messages in messages file "WARNING: Can't extract
> timestamp extension from 'snort.unified2 limit 128.1373443078'using base
> 'snort.unified2'"
>
> Jul 11 16:49:21 snort snort[17849]: WARNING: Can't extract timestamp
> extension from 'snort.unified2 limit 128.1373443078'using base
> 'snort.unified2'
> Jul 11 16:49:21 snort snort[17849]: WARNING: Can't extract timestamp
> extension from 'snort.unified2 limit 128.1373492825'using base
> 'snort.unified2'
> Jul 11 16:49:22 snort snort[17849]: WARNING: Can't extract timestamp
> extension from 'snort.unified2 limit 128.1373443078'using base
> 'snort.unified2'
> Jul 11 16:49:22 snort snort[17849]: WARNING: Can't extract timestamp
> extension from 'snort.unified2 limit 128.1373492825'using base
> 'snort.unified2'
> Jul 11 16:49:23 snort snort[17849]: WARNING: Can't extract timestamp
> extension from 'snort.unified2 limit 128.1373443078'using base
> 'snort.unified2'
> Jul 11 16:49:23 snort snort[17849]: WARNING: Can't extract timestamp
> extension from 'snort.unified2 limit 128.1373492825'using base
> 'snort.unified2'
> Jul 11 16:49:24 snort snort[17849]: WARNING: Can't extract timestamp
> extension from 'snort.unified2 limit 128.1373443078'using base
> 'snort.unified2'
> Jul 11 16:49:24 snort snort[17849]: WARNING: Can't extract timestamp
> extension from 'snort.unified2 limit 128.1373492825'using base
> 'snort.unified2'
> Jul 11 16:49:25 snort snort[17849]: WARNING: Can't extract timestamp
> extension from 'snort.unified2 limit 128.1373443078'using base
> 'snort.unified2'
> Jul 11 16:49:25 snort snort[17849]: WARNING: Can't extract timestamp
> extension from 'snort.unified2 limit 128.1373492825'using base
> 'snort.unified2'
> Jul 11 16:49:26 snort snort[17849]: WARNING: Can't extract timestamp
> extension from 'snort.unified2 limit 128.1373443078'using base
> 'snort.unified2'
> Jul 11 16:49:26 snort snort[17849]: WARNING: Can't extract timestamp
> extension from 'snort.unified2 limit 128.1373492825'using base
> 'snort.unified2
>
> Any clue? Please let me know if anyone needs snort IDS and barnyard2
> configuration files.
>
> Regards,
>
> Kaushal
>

Hi Again,

Subsequent to the earlier email, Please find below further details :-

# ps aux | grep snort
snort    11861  0.1  0.7 405964 256444 ?       SNsl 03:17   1:21
/usr/sbin/snort -d -D -i em3 -u snort -g snort -c /etc/snort/snort.conf -l
/var/log/snort/em3
snort    11867  0.0  0.2 404512 74084 ?        SNsl 03:17   0:01
/usr/sbin/snort -d -D -i em4 -u snort -g snort -c /etc/snort/snort.conf -l
/var/log/snort/em4
root     17849  0.0  0.0 141464  8352 ?        Ss   12:09   0:01 barnyard2
-D -c /etc/snort/barnyard2.conf -d /var/log/snort/em3 -w
/var/log/snort/em3/barnyard2.waldo -l /var/log/snort/em3 -a
/var/log/snort/em3/archive -f snort.unified2 -X
/var/lock/subsys/barnyard2-em3.pid
root     18459  0.0  0.0 103236   876 pts/0    S+   17:00   0:00 grep snort
[root at ...2306... ~]# ps aux | grep barnyard
root     17849  0.0  0.0 141464  8352 ?        Ss   12:09   0:01 barnyard2
-D -c /etc/snort/barnyard2.conf -d /var/log/snort/em3 -w
/var/log/snort/em3/barnyard2.waldo -l /var/log/snort/em3 -a
/var/log/snort/em3/archive -f snort.unified2 -X
/var/lock/subsys/barnyard2-em3.pid
root     18461  0.0  0.0 103236   880 pts/0    S+   17:00   0:00 grep
barnyard
# /sbin/ifconfig em3
em3       Link encap:Ethernet  HWaddr E0:DB:55:05:D0:0E
          inet6 addr: fe80::e2db:55ff:fe05:d00e/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:50122055 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:22401829151 (20.8 GiB)  TX bytes:492 (492.0 b)
          Interrupt:34

# /sbin/ifconfig em4
em4       Link encap:Ethernet  HWaddr E0:DB:55:05:D0:0F
          inet6 addr: fe80::e2db:55ff:fe05:d00f/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:16 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1084 (1.0 KiB)  TX bytes:492 (492.0 b)
          Interrupt:36

#

barnyard2 configuration file ->
http://paste.fedoraproject.org/24554/37354245
snort configuration file -> http://paste.fedoraproject.org/24555/42505137

Regards,

Kaushal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130711/5696d95b/attachment.html>


More information about the Snort-users mailing list