Snort mailing list archives
RE: barnyard
From: "Slighter, Tim" <tslighter () itc nrcs usda gov>
Date: Tue, 5 Aug 2003 06:36:20 -0600
I am not using the -b switch for snort. However, I did figure out the problem and it turned out to be a permissions issue for that directory. Thanks -----Original Message----- From: Chris Keladis [mailto:Chris.Keladis () cmc optus net au] Sent: Monday, August 04, 2003 4:17 PM To: Slighter, Tim Cc: Snort-Users (E-mail) Subject: Re: [Snort-users] barnyard Slighter, Tim wrote: Hi Tim,
I keep getting these pestering errors when trying to start barnyard: "unable to open spool file" here is what snort says: output log_unified: filename snort.log, limit 128 barnyard is then instructed to run as this: barnyard -c /usr/local/barnyard/barnyard.conf -d /var/log/snort -g /usr/local/snort/etc/gen-msg.map -s /usr/local/snort/etc/sid-msg.map -w /usr/local/snort/waldo.file -f snort.log checked in /var/log/snort and the snort.log file is there
Tim, are you by any chance starting Snort with the '-b' switch? If so, it can cause some confusion because the binary tcpdump log (created by '-b') is also named snort.log, so barnyard looks and finds snort.log, but it's really a capture file not a unified log. (Other symptoms of this problem are that Barnyard also reports a wrong "magic number"). This is correct behaviour since the command line switches are supposed to override the conf file settings, but it was very annoying and a hard to find bug, to say the least. As a number of people have had similar problems i suggest it may be a good idea to rename (the unified) snort.log to unified_snort.log, to minimize confusion between unified and capture snort.log. Cheers, Chris. ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- barnyard Slighter, Tim (Aug 04)
- Re: barnyard Chris Keladis (Aug 05)
- <Possible follow-ups>
- RE: barnyard Slighter, Tim (Aug 05)
- barnyard Slighter, Tim (Aug 07)
- Re: barnyard Andrew R. Baker (Aug 14)