[Snort-users] Barnyard2 process quits when Output:alert_bro is enabled

SnortFan SnortFan at ...131...
Wed Jan 22 14:47:26 EST 2014


Hi Jeremy,
    Try the barnyard2-users at ...14071... list. Like this one you will need to join. The developers for barnyard2 monitor that list and have helped me out in the past.  

Best of luck,
Ed


Sent from a mobile device. 

> On Jan 21, 2014, at 3:04 PM, Jeremy Cox <jeremy.cox at ...16655...> wrote:
> 
> There is one error in the syslog:
> 
> Jan 21 13:02:48 ids kernel: [417909.308741] barnyard2[22481]: segfault at 10 ip 0000000000423d28 sp 00007fff631c93c0 error 4 in barnyard2[400000+46000]
> 
> 
> 
> Any help would be greatly appreciated!
> 
> Thanks,
> 
> Jeremy
> 
> 
> Jeremy Cox
> Senior Network Engineer, ISO
> Washington County School District
> 121 W Tabernacle - St. George - UT
> 435-634-4315
> www.washk12.org
> 687474703a2f2f7777772e7375706572746563686775792e636f6d
> 
> IMPORTANT NOTICE REGARDING THIS ELECTRONIC COMMUNICATION:
> 
> This e-mail, including any attachments thereto, contains information that may be confidential or privileged, and is intended solely for the individual or entity to whom it is addressed.  Recipient is hereby notified that any disclosure, copying or distribution of this message is strictly prohibited.  IF YOU ARE NOT THE INTENDED RECIPIENT, please notify the originator of this e-mail immediately and destroy all information received.  Thank you.
> 
> 
>> On Fri, Jan 17, 2014 at 2:33 PM, Jeremy Cox <jeremy.cox at ...16655...> wrote:
>> Anytime I enable the Bro2 alert in the Barnyard2 Config file, Barnyard2 starts right up and runs the standard checks, looks like it will start working and then suddenly stops without any warning message whatsoever.
>> 
>> 
>> 
>> For example:
>> 
>> 
>> sudo barnyard2 -c /etc/suricata/barnyard2.conf -d /mnt/iscsi/suricata/log -f unified2.alert -w /mnt/iscsi/suricata/log/suricata.waldo -vvv
>> 
>> 
>> Running in Continuous mode
>> 
>> 
>> 
>>         --== Initializing Barnyard2 ==--
>> 
>> Initializing Input Plugins!
>> Initializing Output Plugins!
>> Parsing config file "/etc/suricata/barnyard2.conf"
>> Log directory = /var/log/barnyard2
>> alert_bro Connecting to Bro (10.0.67.186:47762)...done.
>> 
>> 
>>         --== Initialization Complete ==--
>> 
>> 
>>   ______   -*> Barnyard2 <*-
>>  / ,,_  \  Version 2.1.9 (Build 263)
>>  |o"  )~|  By the SecurixLive.com Team: http://www.securixlive.com/about.php
>>  + '''' +  (C) Copyright 2008-2010 SecurixLive.
>> 
>> 
>>            Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html
>>            (C) Copyright 1998-2007 Sourcefire Inc., et al.
>> 
>> 
>> Using waldo file '/mnt/iscsi/suricata/log/suricata.waldo':
>>     spool directory = /mnt/iscsi/suricata/log
>>     spool filebase  = unified2.alert
>>     time_stamp      = 1389914653
>>     record_idx      = 25442
>> Opened spool file '/mnt/iscsi/suricata/log/unified2.alert.1389914653'
>> 
>> 
>> 
>> The process stops at this point.  If I compile Barnyard2 with debugging enabled I get this:
>> 
>> 
>> sudo barnyard2 -c /etc/suricata/barnyard2.conf -d /mnt/iscsi/suricata/log -f unified2.alert -w /mnt/iscsi/suricata/log/suricata.waldo -v -e
>> 
>> 
>> Running in Continuous mode
>> 
>> 
>>         --== Initializing Barnyard2 ==--
>> Initializing Input Plugins!
>> Initializing Output Plugins!
>> Parsing config file "/etc/suricata/barnyard2.conf"
>> Log directory = /var/log/barnyard2
>> alert_bro Connecting to Bro (10.0.67.186:47762)...done.
>> -------------------------------------------------
>>  Keyword     |          Input @
>> -------------------------------------------------
>> unified2     : init() = 0x4314c6
>> unified2     :   - readRecordHeader() = 0x431539
>> unified2     :   - readRecord()       = 0x4316f8
>> -------------------------------------------------
>> 
>> -------------------------------------------------
>>  Keyword     |          Output @
>> -------------------------------------------------
>> alert_syslog :       0x4267fb
>> log_tcpdump  :       0x4291b3
>> database     :       0x42cd13
>> alert_fast   :       0x425419
>> alert_full   :       0x426021
>> alert_unixsock:       0x427da3
>> alert_csv    :       0x4240e0
>> log_null     :       0x429097
>> log_ascii    :       0x428413
>> alert_bro    :       0x423773
>> alert_test   :       0x427627
>> platypus     :       0x42a058
>> sguil        :       0x42bc14
>> -------------------------------------------------
>> 
>> 
>> 
>>         --== Initialization Complete ==--
>> 
>> 
>>   ______   -*> Barnyard2 <*-
>>  / ,,_  \  Version 2.1.9 (Build 263) DEBUG
>>  |o"  )~|  By the SecurixLive.com Team: http://www.securixlive.com/about.php
>>  + '''' +  (C) Copyright 2008-2010 SecurixLive.
>> 
>> 
>>            Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html
>>            (C) Copyright 1998-2007 Sourcefire Inc., et al.
>> 
>> Using waldo file '/mnt/iscsi/suricata/log/suricata.waldo':
>>     spool directory = /mnt/iscsi/suricata/log
>>     spool filebase  = unified2.alert
>>     time_stamp      = 1389914653
>>     record_idx      = 25443
>> Opened spool file '/mnt/iscsi/suricata/log/unified2.alert.1389914653'
>> IP Len field is 6 bytes smaller than captured length.
>>     (ip.len: 40, cap.len: 46)
>> IP Len field is 6 bytes smaller than captured length.
>>     (ip.len: 40, cap.len: 46)
>> IP Len field is 6 bytes smaller than captured length.
>>     (ip.len: 40, cap.len: 46)
>> 
>> 
>> The important section of the Barnyard Config file looks like this:
>> 
>> 
>> input unified2                                                                                                                            
>> output alert_bro: 10.0.67.186:47762
>> output alert_fast: stdout
>> 
>> 
>> If I comment out the "output alert_bro: 10.0.67.186:47762" then Barnyard executes as expected and I see the Fast Alerts scroll on the screen.
>> 
>> 
>> Jeremy Cox
>> Senior Network Engineer, ISO
>> Washington County School District
>> 121 W Tabernacle - St. George - UT
>> 435-634-4315
>> www.washk12.org
>> 687474703a2f2f7777772e7375706572746563686775792e636f6d
>> 
>> IMPORTANT NOTICE REGARDING THIS ELECTRONIC COMMUNICATION:
>> 
>> This e-mail, including any attachments thereto, contains information that may be confidential or privileged, and is intended solely for the individual or entity to whom it is addressed.  Recipient is hereby notified that any disclosure, copying or distribution of this message is strictly prohibited.  IF YOU ARE NOT THE INTENDED RECIPIENT, please notify the originator of this e-mail immediately and destroy all information received.  Thank you.
> 
> ------------------------------------------------------------------------------
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today. 
> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140122/c388eec4/attachment.html>


More information about the Snort-users mailing list