Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Snort-devel] [Sguil-users] Barnyard stop suddenly

From: "Eric Lauzon" <eric.lauzon () abovesecurity com>
Date: Tue, 10 Oct 2006 11:16:47 -0400
Hi,
We have seen this problem before
and there is a way to stop this from happening,
generaly the spo_unified module will do multiple fwrite to 
the unified file [dataHeader,eventHeader,Payload], thus it is possible to interupt snort betwen 
one of those fwrite call, thus corrupting the unified file, 
the work arround is to use a static allocated buffer and to write it in a single block.

I have a patched version of spo_unified for 2.4.x series
and 2.6.X series

i might submit them again if needed.

-elz
 


-----Original Message-----
From: snort-devel-bounces () lists sourceforge net 
[mailto:snort-devel-bounces () lists sourceforge net] On Behalf 
Of Bamm Visscher
Sent: Tuesday, October 10, 2006 11:12 AM
To: sguil-users () lists sourceforge net
Cc: Snort; snort-devel () lists sourceforge net
Subject: Re: [Snort-devel] [Sguil-users] Barnyard stop suddenly

This is a snort unified output problem that creeps up every 
couple of months. I am not sure there has ever been a fix for 
it.  What version of snort are you running?

Bammkkkk


On 10/10/06, Jesús Gálvez <jesuxgalvez () yahoo es> wrote:

Hi, I hace installed snort+sguil+barnyard. My problem is that when 
some time pass (usually one day), barnyard is down, and  I only got 
raise it erasing waldo.file and restarting the service barnyard.

If I try raise the service without erase waldo.dile the 

syslog give me 

the next error:

ERROR: Invalid packet length: 171390775 Oct  9 11:42:54 localhost 
barnyard[19280]: FATAL ERROR: Read error Oct  9 11:42:54 localhost 
barnyard[19280]: Exiting


I don´t know where can be the problem.


 ________________________________

LLama Gratis a cualquier PC del Mundo.
Llamadas a fijos y móviles desde 1 céntimo por minuto.
http://es.voice.yahoo.com




----------------------------------------------------------------------

--- Take Surveys. Earn Cash. Influence the Future of IT Join 
SourceForge.net's Techsay panel and you'll get the chance to share 
your opinions on IT & business topics through brief surveys -- and 
earn cash 


http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEV

DEV

_______________________________________________
Sguil-users mailing list
Sguil-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/sguil-users






--
sguil - The Analyst Console for NSM
http://sguil.sf.net

--------------------------------------------------------------
-----------
Take Surveys. Earn Cash. Influence the Future of IT Join 
SourceForge.net's Techsay panel and you'll get the chance to 
share your opinions on IT & business topics through brief 
surveys -- and earn cash 
http://www.techsay.com/default.php?page=join.php&p=sourceforge
&CID=DEVDEV
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel



AVERTISSEMENT CONCERNANT LA CONFIDENTIALITÉ 

Le présent message est à l'usage exclusif du ou des destinataires mentionnés ci-dessus. Son contenu est confidentiel et 
peut être assujetti au secret professionnel. Si vous avez reçu le présent message par erreur, veuillez nous en aviser 
immédiatement et le détruire en vous abstenant d'en faire une copie, d'en divulguer le contenu ou d'y donner suite.

CONFIDENTIALITY NOTICE

This communication is intended for the exclusive use of the addressee identified above. Its content is confidential and 
may contain privileged information. If you have received this communication by error, please notify the sender and 
delete the message without copying or disclosing it.

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: