Snort 2.3.0RC2 and Barnyard

["John Berkers" <John.Berkers () hsntech com>]

Hi,

I have upgraded to Snort 2.3.0RC2 from 2.1.3 with Barnyard 0.1.0.

This setup has been working fine for about a year (with an upgrade or two in between).

I am getting the following error when I start barnyard, or when barnyard gets data in a unified log:

Processing: /var/log/snort/snort.log.1104814818
Looking for magic: a1b2c3d4
magic ?= dead4137
magic ?= dead1080
magic ?= dead5747
ERROR: No input plugin found for magic: a1b2c3d4
Fatal Error, Quitting..

This error is generated with verbosity level 4.

I upgraded barnyard to version 0.2.0 to no avail.

Barnyard was confingured with --enable-mysql --enable-debug
Snort was built using rpmbuild --rebuild -ta snort-2.3.0RC2.tar.gz

OS is Fedora Core 1.

Unified logs generated previously result in the following messages:

Processing: /var/log/snort/snort.log.1075873821
Looking for magic: dead1080
magic ?= dead4137
magic ?= dead1080
Number of records:  0

Snort.conf output configuration:

output log_unified: filename snort.log, limit 128

Barnyard bare bones configuration (cat /etc/snort/barnyard.conf |egrep -v "^#|^$"):

config hostname: sensor.domain.com
config interface: eth1
config filter:
output log_acid_db: mysql, database db_name, server server.domain.com, user db_user, detail full, password db_passwd, 
sensor_id 3

Can anyone shed any light on the situation as I am stumped.  I found a couple of references in the archives from a 
while ago indicating that this may be related to tcpdump output format, but this was working fine before the upgrade.

Please feel free to contact me if you require any further information.

Thanks in advance for any assistance.

Regards,

John Berkers
Senior Communications & Security Consultant
 
Hansen Technologies
2 Frederick Street, Doncaster  Vic  3108
Phone:  +61 3 9840 3833
Fax:    +61 3 9840 3099
Mobile: 0419 532 312
 
Email:  john.berkers () hsntech com
Web:    www.hsntech.com <http://www.hsntech.com/>