[Snort-users] Snort++ Bad Barnyard2 Output

Russ rucombs at cisco.com
Fri Aug 11 12:39:19 EDT 2017


Jim, you are correct.  This goes way back.  I mentioned previously wrt 
buffers vs packets.  Given the state of things with the barnyard2 tool 
chain we are planning an update to workaround that until a new solution 
is available.

On 8/11/17 10:57 AM, Jim Campbell wrote:
> I'm experiencing a problem with the info Barnyard2 is outputting. This 
> is the output from /var/log/syslog:
>
> Aug 11 10:09:23 jim-IPS barnyard2[13300]: Opened spool file 
> '/var/log/snort/unified2.log.1502460415'
> Aug 11 10:09:23 jim-IPS barnyard2[13300]: WARNING database 
> [Database()]: Called with Event[0x6aae080] Event Type [104] (P)acket 
> [0x0], information has not been outputed.
> Aug 11 10:09:23 jim-IPS barnyard2[13300]: Waiting for new data
> Aug 11 10:10:21 jim-IPS barnyard2[13300]: WARNING database 
> [Database()]: Called with Event[0x6aae080] Event Type [104] (P)acket 
> [0x0], information has not been outputed.
> ...
>
> This is what Snort++ is writing to /var/log/snort/unified2.log.xxx:
>
> (Event)
>         sensor id: 0    event id: 1     event second: 
> 1502460469        event microsecond: 227128
>         sig id: 1       gen id: 142     revision: 1 classification: 26
>         priority: 3     ip source: 192.168.254.1        ip 
> destination: 64.98.36.147
>         src port: 51410 dest port: 110  ip_proto: 255 impact_flag: 0  
> blocked: 0
>         mpls label: 0   vlan id: 0      policy id: 0    appid:
>
> Buffer
>         sensor_id: 0    event_id: 1     event_second: 1502460469
>         packet_second: 1502460469       packet_microsecond: 227128
>         packet_length: 42
> [    0] 41 47 70 70 62 55 42 33 4E 47 4A 78 63 43 35 75 AGppbUB3NGJxcC5u
> [   16] 5A 58 51 41 62 45 6F 7A 61 30 39 78 4E 57 46 4D ZXQAbEoza09xNWFM
> [   32] 53 6D 70 47 61 77 3D 3D 0D 0A SmpGaw==..
>
> This has probably been occurring for some time but it wasn't apparent 
> until I had removed all the "noise" alerts via /etc/snort/dropsid.conf.
>
> Jim
>




More information about the Snort-users mailing list