Snort mailing list archives
barnyard & log_unified problem
From: Devin Kowatch <dkowatch () scea com>
Date: Wed, 28 Jun 2006 13:46:08 -0700
Hi,
I've had barnyard dying on me occasionally, while reading snort's
log_unified output.
Under snort 2.4.3 Barnyard would die with an "Invalide packet length"
error. After some investigation, it was looking like barnyard was
reading the file correctly (using od to dump the file and matching that
to what barnyard was reading). So I figured the problem with either
that snort was corrupting the file, or there was an incompatability
between barnyard and snort. In any event, I upgraded to snort 2.6.0 to
see if that fixed the problem.
Now under snort 2.6.0 Barnyard is dying with "FATAL ERROR: Out of memory
(wanted 4230306464 bytes)". Using gdb this appears to be happening in
the same function that the "Invalid packet length" error message happens
in (specifically LogDpReadRecord). In this case the cause appears to be
the same as before. Which is to say that the caplen field of the
UnifiedLog record header is way to large [1].
I've seen some other reports of this problem, but haven't found any
resolution to it. I'm hoping that is just because I haven't looked in
the right places, but if not, then hopefully I can be of some help
figuring out what is going wrong.
I get the same error if I run barnyard in daemon mode using the sguil
ouput plugin, or if I run it in one shot mode using the default config
file. All of this is running on an Intel P4 using CentOS. My snort
output configuration is:
output alert_unified: filename snort.alert, limit 512
output log_unified: filename snort.log, limit 512
Any help would be greatly appreciated.
Thanks,
-devink
[1] Barnyard has a sanity check which is supposed to catch excessively
large caplens. When that sanity check fails it leads to the "Invalid
packet length" error message. In this case the sanity check is not
failing because barnyard is converting SnortPktHeader.caplen from an
unsigned value to a signed value prior to performing the sanity check.
Because the value in this case is so large, when the sanity check is
performed, the caplen value is negative, and thus passes the sanity
check. After that it tries to allocate a bunch of memory and fails.
The signed/unsigned thing is probably a separate bug in barnyard, but
I'm not completely sure where to report it. Or is this the correct
forum?
--
Devin Kowatch
Sony Computer Entertainment of America
dkowatch () scea com
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- barnyard & log_unified problem Devin Kowatch (Jun 28)
- Re: barnyard & log_unified problem Bamm Visscher (Jun 28)
- Re: barnyard & log_unified problem Devin Kowatch (Jun 28)
- Re: barnyard & log_unified problem Bamm Visscher (Jun 28)