Re: barnyard

[Chris Keladis <Chris.Keladis () cmc optus net au>]

Slighter, Tim wrote:

Hi Tim,

> I keep getting these pestering errors when trying to start barnyard:
> "unable to open spool file"
> here is what snort says:
> output log_unified:  filename snort.log, limit 128
> barnyard is then instructed to run as this:
> barnyard -c /usr/local/barnyard/barnyard.conf -d /var/log/snort -g
> /usr/local/snort/etc/gen-msg.map -s /usr/local/snort/etc/sid-msg.map -w
> /usr/local/snort/waldo.file -f snort.log
> checked in /var/log/snort and the snort.log file is there 

Tim, are you by any chance starting Snort with the '-b' switch?

If so, it can cause some confusion because the binary tcpdump log 
(created by '-b') is also named snort.log, so barnyard looks and finds 
snort.log, but it's really a capture file not a unified log. (Other 
symptoms of this problem are that Barnyard also reports a wrong "magic 
number").

This is correct behaviour since the command line switches are supposed 
to override the conf file settings, but it was very annoying and a hard 
to find bug, to say the least.

As a number of people have had similar problems i suggest it may be a 
good idea to rename (the unified) snort.log to unified_snort.log, to 
minimize confusion between unified and capture snort.log.




Cheers,

Chris.



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users