[Snort-users] Barnyard2 process quits when Output:alert_bro is enabled

Jeremy Cox jeremy.cox at ...16655...
Fri Jan 17 16:33:08 EST 2014


Anytime I enable the Bro2 alert in the Barnyard2 Config file, Barnyard2
starts right up and runs the standard checks, looks like it will start
working and then suddenly stops without any warning message whatsoever.



For example:


sudo barnyard2 -c /etc/suricata/barnyard2.conf -d /mnt/iscsi/suricata/log
-f unified2.alert -w /mnt/iscsi/suricata/log/suricata.waldo -vvv



Running in Continuous mode



        --== Initializing Barnyard2 ==--

Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/suricata/barnyard2.conf"
Log directory = /var/log/barnyard2
alert_bro Connecting to Bro (10.0.67.186:47762)...done.


        --== Initialization Complete ==--


  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.9 (Build 263)
 |o"  )~|  By the SecurixLive.com Team: http://www.securixlive.com/about.php
 + '''' +  (C) Copyright 2008-2010 SecurixLive.


           Snort by Martin Roesch & The Snort Team:
http://www.snort.org/team.html
           (C) Copyright 1998-2007 Sourcefire Inc., et al.


Using waldo file '/mnt/iscsi/suricata/log/suricata.waldo':
    spool directory = /mnt/iscsi/suricata/log
    spool filebase  = unified2.alert
    time_stamp      = 1389914653
    record_idx      = 25442
Opened spool file '/mnt/iscsi/suricata/log/unified2.alert.1389914653'




The process stops at this point.  If I compile Barnyard2 with debugging
enabled I get this:


sudo barnyard2 -c /etc/suricata/barnyard2.conf -d /mnt/iscsi/suricata/log
-f unified2.alert -w /mnt/iscsi/suricata/log/suricata.waldo -v -e



Running in Continuous mode


        --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/suricata/barnyard2.conf"
Log directory = /var/log/barnyard2
alert_bro Connecting to Bro (10.0.67.186:47762)...done.
-------------------------------------------------
 Keyword     |          Input @
-------------------------------------------------
unified2     : init() = 0x4314c6
unified2     :   - readRecordHeader() = 0x431539
unified2     :   - readRecord()       = 0x4316f8
-------------------------------------------------

-------------------------------------------------
 Keyword     |          Output @
-------------------------------------------------
alert_syslog :       0x4267fb
log_tcpdump  :       0x4291b3
database     :       0x42cd13
alert_fast   :       0x425419
alert_full   :       0x426021
alert_unixsock:       0x427da3
alert_csv    :       0x4240e0
log_null     :       0x429097
log_ascii    :       0x428413
alert_bro    :       0x423773
alert_test   :       0x427627
platypus     :       0x42a058
sguil        :       0x42bc14
-------------------------------------------------



        --== Initialization Complete ==--


  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.9 (Build 263) DEBUG
 |o"  )~|  By the SecurixLive.com Team: http://www.securixlive.com/about.php
 + '''' +  (C) Copyright 2008-2010 SecurixLive.


           Snort by Martin Roesch & The Snort Team:
http://www.snort.org/team.html
           (C) Copyright 1998-2007 Sourcefire Inc., et al.

Using waldo file '/mnt/iscsi/suricata/log/suricata.waldo':
    spool directory = /mnt/iscsi/suricata/log
    spool filebase  = unified2.alert
    time_stamp      = 1389914653
    record_idx      = 25443
Opened spool file '/mnt/iscsi/suricata/log/unified2.alert.1389914653'
IP Len field is 6 bytes smaller than captured length.
    (ip.len: 40, cap.len: 46)
IP Len field is 6 bytes smaller than captured length.
    (ip.len: 40, cap.len: 46)
IP Len field is 6 bytes smaller than captured length.
    (ip.len: 40, cap.len: 46)



The important section of the Barnyard Config file looks like this:


input unified2

output alert_bro: 10.0.67.186:47762
output alert_fast: stdout



If I comment out the "output alert_bro: 10.0.67.186:47762" then Barnyard
executes as expected and I see the Fast Alerts scroll on the screen.


*Jeremy Cox*
Senior Network Engineer, ISO

*Washington County School District*121 W Tabernacle - St. George - UT
435-634-4315
www.washk12.org
687474703a2f2f7777772e7375706572746563686775792e636f6d

IMPORTANT NOTICE REGARDING THIS ELECTRONIC COMMUNICATION:

This e-mail, including any attachments thereto, contains information that
may be confidential or privileged, and is intended solely for the
individual or entity to whom it is addressed.  Recipient is hereby notified
that any disclosure, copying or distribution of this message is strictly
prohibited.  IF YOU ARE NOT THE INTENDED RECIPIENT, please notify the
originator of this e-mail immediately and destroy all information
received.  Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140117/e12f7a88/attachment.html>


More information about the Snort-users mailing list