Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Snort-Users] Barnyard2 not starting

From: beenph <beenph () gmail com>
Date: Fri, 8 Jul 2011 13:26:54 -0400
On Fri, Jul 8, 2011 at 1:11 PM, Michael Lubinski
<michael.lubinski () gmail com> wrote:

After barnyard2 randomly crashes I try to restart and I get this error;

  --== Initialization Complete ==--
Jul  8 12:05:37 sensor barnyard2[6819]: Barnyard2 initialization completed
successfully (pid=6819)
Jul  8 12:05:37 sensor barnyard2[6819]: Using waldo file
'/var/log/snort/barnyard2.waldo':     spool directory = /snortlogs     spool
filebase  = snort.u2     time_stamp      = 1310131063     record_idx      =
103
Jul  8 12:05:37 sensor barnyard2[6819]: Opened spool file
'/snortlogs/snort.u2.1310131063'
Jul  8 12:05:37 sensor barnyard2[6819]: FATAL ERROR: Unknown record type
read: 110

Snort stays running but randomly barnyard2 crashes.



Ok, its not a crash. Its a symptom caused by Extra data record type.

Now i  see that you are running 2-1.8

This is fixed in 2-1.9 that you can fetch at
https://github.com/firnsy/barnyard2/tree/v2-1.9.

Once you download it, you will need to read the README that will guide
you thru the build process.
(mainly use autoreconf before ./configure (your option) , make and the
copy the barnyard2 binary where needed.)


Now, 2-1.9 and upcomming 2-1.10 handle extra record but will ignore them.

There is a chance that output module in 2-2.x series start to handle
extra data but this is not a fixed feature yet,
alot of things have to fall in place before a concrete way to handle
extra-data records are passed to output pluggins for processing.


I hope it will fix your issue.

-elz

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation
Previous By Date Next
Previous By Thread Next

Current thread: