[Snort-users] Barnyard2 error

beenph beenph at ...11827...
Wed Jul 24 11:29:13 EDT 2013


Make sure your snort output in unified2 format before using barnyard2
since barnyard2 will only process unified2 files

-elz


On Wed, Jul 24, 2013 at 11:09 AM, Abid Ayoub <abid.ayoub at ...11827...> wrote:
> Hi
>
> Thanks for the answer.
>
> but the probel that i get no result after i run snort.
> i got this :
>
>
>
> database: Closing connection to database "snort"
> ===============================================================================
> Record Totals:
>    Records:           0
>    Events:           0 (0.000%)
>    Packets:           0 (0.000%)
>    Unknown:           0 (0.000%)
>    Suppressed:           0 (0.000%)
> ===============================================================================
> Packet breakdown by protocol (includes rebuilt packets):
>       ETH: 0          (0.000%)
>   ETHdisc: 0          (0.000%)
>      VLAN: 0          (0.000%)
>      IPV6: 0          (0.000%)
>   IP6 EXT: 0          (0.000%)
>   IP6opts: 0          (0.000%)
>   IP6disc: 0          (0.000%)
>       IP4: 0          (0.000%)
>   IP4disc: 0          (0.000%)
>     TCP 6: 0          (0.000%)
>     UDP 6: 0          (0.000%)
>     ICMP6: 0          (0.000%)
>   ICMP-IP: 0          (0.000%)
>       TCP: 0          (0.000%)
>       UDP: 0          (0.000%)
>      ICMP: 0          (0.000%)
>   TCPdisc: 0          (0.000%)
>   UDPdisc: 0          (0.000%)
>   ICMPdis: 0          (0.000%)
>      FRAG: 0          (0.000%)
>    FRAG 6: 0          (0.000%)
>       ARP: 0          (0.000%)
>     EAPOL: 0          (0.000%)
>   ETHLOOP: 0          (0.000%)
>       IPX: 0          (0.000%)
>     OTHER: 0          (0.000%)
>   DISCARD: 0          (0.000%)
> InvChkSum: 0          (0.000%)
>    S5 G 1: 0          (0.000%)
>    S5 G 2: 0          (0.000%)
>     Total: 0
> ===============================================================================
>
>
> So , is this normal ? where probably is the problem ?
>
> Thanks
> Abid
>
>
> 2013/7/24 beenph <beenph at ...11827...>
>>
>> On Wed, Jul 24, 2013 at 10:47 AM, Abid Ayoub <abid.ayoub at ...11827...> wrote:
>> >
>> > Hi,
>> > i did´t understand what what do you mean exactly
>> > but , if you mean that i am runnung snort or barnyard2 on background ,
>> > the answer is no.
>> > Abid
>> >
>> >
>> > 2013/7/24 Abid Ayoub <abid.ayoub at ...11827...>
>> >>
>> >> Hi,
>> >>
>> >> i did´t understand what what do you mean exactly
>> >> but , if you mean that i am runnung snort or barnyard2 on background ,
>> >> the answer is no.
>> >>
>> >> Abid
>> >>
>> >>
>>
>> Hi Abid,
>> In the first message that you posted with the barnyard2 output, it
>> does not seem like it refuse to run,
>> you had two warning message.
>>
>> Message 1:
>> [SignatureReferencePullDataStore()]: No Reference found in database ...
>>
>> Which mean that was no reference found in the sig_reference table
>>
>> Message 2:
>> WARNING: Ignoring corrupt/truncated waldofile
>> '/var/log/snort/barnyard2.waldo'
>>
>> Which mean it either didin't found the waldo file or that the waldo
>> file had been incomplete,
>> thus until it processes any events and write a good waldo file if you
>> stop and start barnyard2
>> you will get that message.
>>
>> -elz
>
>




More information about the Snort-users mailing list