Snort mailing list archives
Re: [Snort-devel] [Sguil-users] Barnyard problem
From: "Eric Lauzon" <eric.lauzon () abovesecurity com>
Date: Wed, 17 Jan 2007 13:24:36 -0500
Greetings, The initial issue is mainly due to the fact that original unified output modes where writing sequentialy to the file thus if in anyway snort was stoped intentinaly or unintentionaly while writing one of the data chunks, i would create a corrupted file. This issue has been partialy fixed in a patch that i submitted a while ago but my patch didin't cover the last unified output mode. Thus i might re-submit a more rescent patch that completly fix this issue for all unified output mode. As preventing that issue [unified log writing race condition] you can turn down the interface on wich snort is listening [ifconfig <inameN> down], resulting in pcap_loop() or pcap_dispatch() call to fail thus ensuring that snort is currently now writing to the unified file. I shall send the new patch today for snort 2.6.1N serie to snort-devel list. I hope it might help. -elz
-----Original Message----- From: snort-devel-bounces () lists sourceforge net [mailto:snort-devel-bounces () lists sourceforge net] On Behalf Of Bamm Visscher Sent: Wednesday, January 17, 2007 11:18 AM To: sguil-users () lists sourceforge net Cc: Snort; snort-devel () lists sourceforge net Subject: Re: [Snort-devel] [Sguil-users] Barnyard problem AFAIK, that is a bug in Snort's unified output plugin. For all practical purposes, the file /nsm/snortsrv//snort.log.1167545618 is corrupt. To recover, stop snort and barnyard. Then remove (or move) all the snort.log.####### files in /nsm/snortsrv (not the ones in /nsm/snortsrv/dailylogs/). Finally, remove your waldo.file and restart snort and barnyard. The downside is any alert that happened after the file became corrupted is gone. I don't know of any fix, probably the best thing you can do to limit the impact this can cause again is to restart snort on a regular basis as snort will create a new unified file each time. Bammkkkk On 1/17/07, Smith, Brad <brad.smith () saskeds com> wrote:A couple of weeks ago my barnyard portion of the sensorjust quit. Not exactly sure what happened but it won't start up again. The main reason seems to be the invalid packet length as indicated in the screen capture below. Is there a way to edit this file and remove the offending line of data or how can I recover from this. The sensor is running FreeBSD 6.1.Thanks, Brad ------------------------ Barnyard Version 0.2.0 (Build 32) Command line arguments: Config file: /usr/local/etc/nsm/barnyard.conf Spool dir: /nsm/snortsrv/ Gen-msg file: gen-msg.map Sid-msg file: sid-msg.map Class file: Not specified Log dir: Not specified Archive dir: Not specified File base: snort.log Waldo file: /nsm/snortsrv/waldo.file Pid file: Not specified Verbosity level: 3 Dry run flag: Not Set Batch mode flag: Not Set Daemon flag: Not Set New records only flag: Not Set Usage flag: Not Set Version flag: Not Set Config file variables: Hostname: snortsrv Interface: fxp1 BPF Filter: Class file: Not specified Sid-msg file: Not specified Gen-msg file: Not specified Daemon flag: Not Set Localtime flag: Not Set Starting data processing using information from bookmarkfile ProgramVariables: Continual processing mode Config dir: /usr/local/etc/nsm Config file: /usr/local/etc/nsm/barnyard.conf Sid-msg file: /usr/local/etc/nsm/sid-msg.map Gen-msg file: /usr/local/etc/nsm/gen-msg.map Class file: /usr/local/etc/nsm/classification.config Hostname: snortsrv Interface: fxp1 BPF Filter: Log dir: /var/log/snort Verbosity: 3 Localtime: 0 Spool dir: /nsm/snortsrv/ Spool file: snort.log Bookmark file: /nsm/snortsrv/waldo.file Record Number: 838345 Timet: 1167545618 Start at end: 0 Opened spool file '/nsm/snortsrv//snort.log.1167545618' OpSguil configured Connected to localhost on 7735. Waiting for sid and cid from sensor_agent. Sent: SidCidRequest snortsrv Received: SidCidResponse 1 10202700 Sensor ID: 1 Last cid: 10202700 Sensor Name: snortsrv Agent Port: 7735 ERROR: Invalid packet length: 976577328 Read error Fatal Error, Quitting.. Exiting------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys- and earncashhttp://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Sguil-users mailing list Sguil-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/sguil-users-- sguil - The Analyst Console for NSM http://sguil.sf.net -------------------------------------------------------------- ----------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge &CID=DEVDEV _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
AVERTISSEMENT CONCERNANT LA CONFIDENTIALITE Le present message est a l'usage exclusif du ou des destinataires mentionnes ci-dessus. Son contenu est confidentiel et peut etre assujetti au secret professionnel. Si vous avez recu le present message par erreur, veuillez nous en aviser immediatement et le detruire en vous abstenant d'en faire une copie, d'en divulguer le contenu ou d'y donner suite. CONFIDENTIALITY NOTICE This communication is intended for the exclusive use of the addressee identified above. Its content is confidential and may contain privileged information. If you have received this communication by error, please notify the sender and delete the message without copying or disclosing it. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Sguil-users] Barnyard problem Bamm Visscher (Jan 17)
- Re: [Snort-devel] [Sguil-users] Barnyard problem Eric Lauzon (Feb 05)
- <Possible follow-ups>
- Re: [Sguil-users] Barnyard problem Smith, Brad (Feb 05)