[Snort-users] Snort++ Bad Barnyard2 Output

Jim Campbell jim at w4bqp.net
Fri Aug 11 10:57:45 EDT 2017


I'm experiencing a problem with the info Barnyard2 is outputting. This 
is the output from /var/log/syslog:

Aug 11 10:09:23 jim-IPS barnyard2[13300]: Opened spool file 
'/var/log/snort/unified2.log.1502460415'
Aug 11 10:09:23 jim-IPS barnyard2[13300]: WARNING database [Database()]: 
Called with Event[0x6aae080] Event Type [104] (P)acket [0x0], 
information has not been outputed.
Aug 11 10:09:23 jim-IPS barnyard2[13300]: Waiting for new data
Aug 11 10:10:21 jim-IPS barnyard2[13300]: WARNING database [Database()]: 
Called with Event[0x6aae080] Event Type [104] (P)acket [0x0], 
information has not been outputed.
...

This is what Snort++ is writing to /var/log/snort/unified2.log.xxx:

(Event)
         sensor id: 0    event id: 1     event second: 1502460469        
event microsecond: 227128
         sig id: 1       gen id: 142     revision: 1 classification: 26
         priority: 3     ip source: 192.168.254.1        ip destination: 
64.98.36.147
         src port: 51410 dest port: 110  ip_proto: 255   impact_flag: 0  
blocked: 0
         mpls label: 0   vlan id: 0      policy id: 0    appid:

Buffer
         sensor_id: 0    event_id: 1     event_second: 1502460469
         packet_second: 1502460469       packet_microsecond: 227128
         packet_length: 42
[    0] 41 47 70 70 62 55 42 33 4E 47 4A 78 63 43 35 75 AGppbUB3NGJxcC5u
[   16] 5A 58 51 41 62 45 6F 7A 61 30 39 78 4E 57 46 4D ZXQAbEoza09xNWFM
[   32] 53 6D 70 47 61 77 3D 3D 0D 0A                    SmpGaw==..

This has probably been occurring for some time but it wasn't apparent 
until I had removed all the "noise" alerts via /etc/snort/dropsid.conf.

Jim

-- 
"We are not human beings having a spiritual experience;
we are spiritual beings having a human experience."
---Pierre Teilhard de Chardin




More information about the Snort-users mailing list