Snort mailing list archives

Re: [Sguil-users] Barnyard problem

From: "Smith, Brad" <brad.smith () saskeds com>
Date: Thu, 18 Jan 2007 08:14:39 -0600

Yes, as your indicated, that was the problem. Seemed a bit drastic but it worked. Everything is back up and running 
again. Next time I won't try to solve the problem on my own for days before taking action. :-)

Brad

________________________________

From: sguil-users-bounces () lists sourceforge net on behalf of Bamm Visscher
Sent: Wed 1/17/2007 10:18 AM
To: sguil-users () lists sourceforge net
Cc: Snort; snort-devel () lists sourceforge net
Subject: Re: [Sguil-users] Barnyard problem

AFAIK, that is a bug in Snort's unified output plugin. For all
practical purposes, the file /nsm/snortsrv//snort.log.1167545618 is
corrupt. To recover, stop snort and barnyard. Then remove (or move)
all the snort.log.####### files in /nsm/snortsrv (not the ones in
/nsm/snortsrv/dailylogs/). Finally, remove your waldo.file and restart
snort and barnyard.

The downside is any alert that happened after the file became
corrupted is gone. I don't know of any fix, probably the best thing
you can do to limit the impact this can cause again is to restart
snort on a regular basis as snort will create a new unified file each
time.

Bammkkkk

On 1/17/07, Smith, Brad <brad.smith () saskeds com> wrote:

A couple of weeks ago my barnyard portion of the sensor just quit. Not exactly sure what happened but it won't start 
up again. The main reason seems to be the invalid packet length as indicated in the screen capture below. Is there a 
way to edit this file and remove the offending line of data or how can I recover from this. The sensor is running 
FreeBSD 6.1.

Thanks,

Brad

------------------------

Barnyard Version 0.2.0 (Build 32)
Command line arguments:
  Config file:           /usr/local/etc/nsm/barnyard.conf
  Spool dir:             /nsm/snortsrv/
  Gen-msg file:          gen-msg.map
  Sid-msg file:          sid-msg.map
  Class file:            Not specified
  Log dir:               Not specified
  Archive dir:           Not specified
  File base:             snort.log
  Waldo file:            /nsm/snortsrv/waldo.file
  Pid file:              Not specified
  Verbosity level:       3
  Dry run flag:          Not Set
  Batch mode flag:       Not Set
  Daemon flag:           Not Set
  New records only flag: Not Set
  Usage flag:            Not Set
  Version flag:          Not Set
Config file variables:
  Hostname:        snortsrv
  Interface:       fxp1
  BPF Filter:
  Class file:      Not specified
  Sid-msg file:    Not specified
  Gen-msg file:    Not specified
  Daemon flag:     Not Set
  Localtime flag:  Not Set
Starting data processing using information from bookmark file
Program Variables:
  Continual processing mode
  Config dir:    /usr/local/etc/nsm
  Config file:   /usr/local/etc/nsm/barnyard.conf
  Sid-msg file:  /usr/local/etc/nsm/sid-msg.map
  Gen-msg file:  /usr/local/etc/nsm/gen-msg.map
  Class file:    /usr/local/etc/nsm/classification.config
  Hostname:      snortsrv
  Interface:     fxp1
  BPF Filter:
  Log dir:       /var/log/snort
  Verbosity:     3
  Localtime:     0
  Spool dir:     /nsm/snortsrv/
  Spool file:    snort.log
  Bookmark file: /nsm/snortsrv/waldo.file
  Record Number: 838345
  Timet:         1167545618
  Start at end:  0
Opened spool file '/nsm/snortsrv//snort.log.1167545618'
OpSguil configured
Connected to localhost on 7735.
Waiting for sid and cid from sensor_agent.
Sent: SidCidRequest snortsrv
Received: SidCidResponse 1 10202700
Sensor ID: 1
Last cid: 10202700
Sensor Name: snortsrv
Agent Port: 7735
ERROR: Invalid packet length: 976577328
Read error
Fatal Error, Quitting..
Exiting


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Sguil-users mailing list
Sguil-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/sguil-users



--
sguil - The Analyst Console for NSM
http://sguil.sf.net

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Sguil-users mailing list
Sguil-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/sguil-users



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: [Sguil-users] Barnyard problem Bamm Visscher (Jan 17)
- Re: [Snort-devel] [Sguil-users] Barnyard problem Eric Lauzon (Feb 05)
- <Possible follow-ups>
- Re: [Sguil-users] Barnyard problem Smith, Brad (Feb 05)