[Snort-users] Help w/ barnyard2 issues

Moore, Jim jmoore at ...16816...
Tue May 20 14:41:42 EDT 2014


I have 2 issues w/ barnyard2 2.1.13 running on a Fedora 19 box.  The box
has 3 sensor interfaces w/ 3 snort instances and 3 barnyard2 instances.
Each of the barnyard2 instances is writing output to a fast alert file
and a remote Postgresql database.  The first problem occurs during
barnyard2 startup.  When the instance initializes the database
connection it encounters a fatal error like so:

ERROR database: Query [SELECT sig_id FROM signature WHERE (sig_sid  =
'17688') AND (sig_gid  = '1') AND (sig_rev  = '9') AND (sig_class_id =
'9') AND (sig_priority = '1') AND (sig_name = 'BROWSER-IE Microsoft
Internet Explorer userdata behavior memory corruption attempt'); ]
returned more than one result

So far, the only fix I have been able to come up w/ is to hand-remove
the existing row from the signature table and restart 1 barnyard2
instance.  The 2nd instance encounters the same error, so I repeat the
process for all 3 instances.

The second problem involves creating ASCII log output.  I have found
what appears to be some kind of error using BASE 1.4.5, in that the
packet data logged w/ some alerts does not match the patterns defined in
the alert signature.  To help isolate the source of the problem I wanted
to create ASCII log output along w/ database logging so I could compare
the two results.  But I have not been able to get ASCII log output at
all.  What would I have to do to generate ASCII log output?  Run a
separate barnyard2 instance just for ASCII logging?  Run a separate
snort instance w/ ASCII log output?

Jim Moore

-- 
James J. Moore, Network Administrator
NexTier Bank
245 Pittsburgh Road
Butler, PA  16001
jmoore at ...16816...
Phone: 724-214-6205
Cell:  724-355-6718

This message and any attachments are intended for the sole use
of the addressee and may contain information that is privileged 
and confidential.  If the reader of the message is not the intended
recipient or an authorized  representative of the intended recipient,
you are hereby notified that any dissemination of this communication
is strictly prohibited.  If you have received this communication in error,
notify the sender immediately by return email and delete the message
and any attachments from your system.



More information about the Snort-users mailing list