Snort mailing list archives
barnyard & log_unified problem
From: Devin Kowatch <dkowatch () scea com>
Date: Wed, 28 Jun 2006 13:46:08 -0700
Hi, I've had barnyard dying on me occasionally, while reading snort's log_unified output. Under snort 2.4.3 Barnyard would die with an "Invalide packet length" error. After some investigation, it was looking like barnyard was reading the file correctly (using od to dump the file and matching that to what barnyard was reading). So I figured the problem with either that snort was corrupting the file, or there was an incompatability between barnyard and snort. In any event, I upgraded to snort 2.6.0 to see if that fixed the problem. Now under snort 2.6.0 Barnyard is dying with "FATAL ERROR: Out of memory (wanted 4230306464 bytes)". Using gdb this appears to be happening in the same function that the "Invalid packet length" error message happens in (specifically LogDpReadRecord). In this case the cause appears to be the same as before. Which is to say that the caplen field of the UnifiedLog record header is way to large [1]. I've seen some other reports of this problem, but haven't found any resolution to it. I'm hoping that is just because I haven't looked in the right places, but if not, then hopefully I can be of some help figuring out what is going wrong. I get the same error if I run barnyard in daemon mode using the sguil ouput plugin, or if I run it in one shot mode using the default config file. All of this is running on an Intel P4 using CentOS. My snort output configuration is: output alert_unified: filename snort.alert, limit 512 output log_unified: filename snort.log, limit 512 Any help would be greatly appreciated. Thanks, -devink [1] Barnyard has a sanity check which is supposed to catch excessively large caplens. When that sanity check fails it leads to the "Invalid packet length" error message. In this case the sanity check is not failing because barnyard is converting SnortPktHeader.caplen from an unsigned value to a signed value prior to performing the sanity check. Because the value in this case is so large, when the sanity check is performed, the caplen value is negative, and thus passes the sanity check. After that it tries to allocate a bunch of memory and fails. The signed/unsigned thing is probably a separate bug in barnyard, but I'm not completely sure where to report it. Or is this the correct forum? -- Devin Kowatch Sony Computer Entertainment of America dkowatch () scea com Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- barnyard & log_unified problem Devin Kowatch (Jun 28)
- Re: barnyard & log_unified problem Bamm Visscher (Jun 28)
- Re: barnyard & log_unified problem Devin Kowatch (Jun 28)
- Re: barnyard & log_unified problem Bamm Visscher (Jun 28)