Snort mailing list archives

Snort++ Bad Barnyard2 Output

From: Jim Campbell <jim () w4bqp net>
Date: Fri, 11 Aug 2017 10:57:45 -0400

I'm experiencing a problem with the info Barnyard2 is outputting. Thisis the output from /var/log/syslog:

Aug 11 10:09:23 jim-IPS barnyard2[13300]: Opened spool file'/var/log/snort/unified2.log.1502460415'Aug 11 10:09:23 jim-IPS barnyard2[13300]: WARNING database [Database()]:Called with Event[0x6aae080] Event Type [104] (P)acket [0x0],information has not been outputed.

Aug 11 10:09:23 jim-IPS barnyard2[13300]: Waiting for new data

Aug 11 10:10:21 jim-IPS barnyard2[13300]: WARNING database [Database()]:Called with Event[0x6aae080] Event Type [104] (P)acket [0x0],information has not been outputed.

...

This is what Snort++ is writing to /var/log/snort/unified2.log.xxx:

(Event)

sensor id: 0 event id: 1 event second: 1502460469event microsecond: 227128

        sig id: 1       gen id: 142     revision: 1 classification: 26

priority: 3 ip source: 192.168.254.1 ip destination:64.98.36.147src port: 51410 dest port: 110 ip_proto: 255 impact_flag: 0blocked: 0

        mpls label: 0   vlan id: 0      policy id: 0    appid:

Buffer
        sensor_id: 0    event_id: 1     event_second: 1502460469
        packet_second: 1502460469       packet_microsecond: 227128
        packet_length: 42
[    0] 41 47 70 70 62 55 42 33 4E 47 4A 78 63 43 35 75 AGppbUB3NGJxcC5u
[   16] 5A 58 51 41 62 45 6F 7A 61 30 39 78 4E 57 46 4D ZXQAbEoza09xNWFM
[   32] 53 6D 70 47 61 77 3D 3D 0D 0A                    SmpGaw==..

This has probably been occurring for some time but it wasn't apparentuntil I had removed all the "noise" alerts via /etc/snort/dropsid.conf.


Jim

--
"We are not human beings having a spiritual experience;
we are spiritual beings having a human experience."
---Pierre Teilhard de Chardin

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort++ Bad Barnyard2 Output Jim Campbell (Aug 11)
- Re: Snort++ Bad Barnyard2 Output Russ via Snort-users (Aug 11)