Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Barnyard 'Invalid packet length' error

From: Martin Roesch <roesch () sourcefire com>
Date: Tue, 3 Aug 2004 00:17:29 -0400
What platform is this on?  x86?
You probably don't need the -X switch in there since you're logging in binary (unified) mode.
I looked at the hexdump you listed there, it looks like the size is correct in the SnortPktHeader so something else is wrong. Any chance you can send a sample unified file along for me to take a look at? 

     -Marty


On Jul 26, 2004, at 3:54 PM, Wolf, Brian wrote:
I'm trying to get barnyard working with snort, but it always fails with an "Invalid packet length" error.  My setup is: 

        RedHat Enterprise AS 3
         snort 2.1.2
         barnyard 0.2.0
         mysql 12.22 Distrib 4.0.18
Snort, barnyard, and mysql were all built from source and are running on the same machine.  Snort can successfully log directly to mySql if I use the "output database" option. 




Snort output config:

output alert_unified: filename snort.binalert, limit 128
output log_unified: filename snort.binlog, limit 128




Snort command line:
/usr/local/snort/bin/snort -i eth0 -D -X -o -c /usr/local/snort/snort.conf -l /usr/local/snort/log 




Barnyard config:

config hostname: localhost
config interface: lo
config filter: not port 22
output log_acid_db: mysql, database snort, server localhost, user snort, password <passwd>, detail full 



Barnyard command line:

/usr/local/snort/bin/barnyard -c /usr/local/snort/barnyard.conf \
                              -d /usr/local/snort/log \
                              -w /usr/local/snort/bin/waldo.chk \
                              -f snort.binlog \
                              -g /usr/local/snort/rules/gen-msg.map \
                              -s /usr/local/snort/rules/sid-msg.map



Run results:
/usr/local/snort/bin/barnyard -c /usr/local/snort/barnyard.conf -d /usr/local/snort/log -w /usr/local/snort/bin/waldo.chk -f snort.binlog \
     -g /usr/local/snort/rules/gen-msg.map -s /usr/local/snort/rules/sid-msg.map 
Barnyard Version 0.2.0 (Build 32)
Opened spool file '/usr/local/snort/log/snort.binlog.1090597145'
ERROR: Invalid packet length: 299008
Read error
Fatal Error, Quitting..
Exiting
[
The number listed as the invalid packet length changes from run to run, suggesting that either Snort isn't writing the packet size or that Barnyard isn't looking for it in the right location.
Here is the beginning of the log file listed in the above run, although the problem occurs with any log file 

        od -x  /usr/local/snort/log/snort.binlog.1090597145

0000000 1080 dead 0001 0002 b9b0 ffff 0000 0000
0000020 05ea 0000 0001 0000 0001 0000 01d2 0000
0000040 0001 0000 0004 0000 0002 0000 0005 0000
0000060 0005 0000 3134 4101 3a4a 000e 0000 8000
0000100 3134 4101 3a4a 000e 004a 0000 004a 0000
0000120 0400 59dc 08da 0600 5cd7 c5e9 0008 0045
0000140 3c00 da8f 0000 0120 2fc1 c7a5 92fa c7a5
0000160 9603 0008 5d07 0003 0145 4241 4443 4645
0000200 4847 4a49 4c4b 4e4d 504f 5251 5453 5655
0000220 4157 4342 4544 4746 4948 0001 0000 01d2
0000240 0000 0001 0000 0104 0000 1200 0004 0600
0000260 0000 1b00 0000 0200 0000 2f00 0000 2f00
0000300 0000 4f00 0131 1d41 031d 9000 0004 4f80
0000320 0131 1d41 031d ee00 0000 ee00 0000 0000
0000340 c708 0afa 009e b302 e75f 083e 4500 0000
0000360 abe0 0094 3b00 8006 42a5 62a9 a51d 08c7
0000400 0d51 0021 a650 ae84 d90b cbdb 5087 ff18
0000420 daff 00ac 5000 4f52 4650 4e49 2044 732f
0000440 6863 6f6f 736c 4820 5454 2f50 2e31 0d31
0000460 440a 7065 6874 203a 0d30 740a 6172 736e
0000500 616c 6574 203a 0d66 550a 6573 2d72 6741
0000520 6e65 3a74 4d20 6369 6f72 6f73 7466 572d





Any suggestions?



- Brian


--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org



-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: