Snort mailing list archives

Re: barnyard2-1.10 major problem

From: beenph <beenph () gmail com>
Date: Wed, 24 Oct 2012 10:47:33 -0400

On Wed, Oct 24, 2012 at 10:12 AM, Lawrence R. Hughes, Sr.
<lhughes () safemedia com> wrote:

Hi,

We have discovered that barnyard2-1.10 (all builds) has a major problem
where it will only pass one (1) packet per-alert to the database and
discards any further packets reported by snort 2.9.3.1!

We have been in touch with the author of barnyard2 and they can not offer
any solutions and are working on a complete re-write of spooler.c for the
release 2.2 of barnyard2.


Lawrence,
I wrote you a follow-up e-mail, and you never replied.

But i will include it in this reply.
<SNIP>
On Fri, Oct 19, 2012 at 7:09 PM, beenph <beenph () gmail com> wrote:

Hum how large is your unified2 file? i think what happening is that
you are hitting cache maximum.
In src/spooler.c change line 44 #define CACHED_EVENTS_MAX 256

and set it to 1024 or even 2048.

I am under the impression that what is happening is that the packet
you are mentionning is hitting the cache limit and
when the cache get recycled, your packet can't find a relative event.

If that dosen't work i would appreciate if you can use u2_anon ->
https://github.com/binf/u2_anon

And send us your unified2 file.

But for the record change that have been done in the database output
plugin shouldn't affect how stream packets get logged.

Let us know how it goes.

-elz


</SNIP>



-elz

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

barnyard2-1.10 major problem Lawrence R. Hughes, Sr. (Oct 24)
- Re: barnyard2-1.10 major problem beenph (Oct 24)
  - Re: barnyard2-1.10 major problem Lawrence R. Hughes, Sr. (Oct 24)
    - Re: barnyard2-1.10 major problem beenph (Oct 24)
    - Re: barnyard2-1.10 major problem Lawrence R. Hughes, Sr. (Oct 24)
    - Re: barnyard2-1.10 major problem beenph (Oct 24)
- <Possible follow-ups>
- Re: barnyard2-1.10 major problem Lawrence R. Hughes, Sr. (Oct 24)
  - Re: barnyard2-1.10 major problem beenph (Oct 24)
    - Message not available
    - Fwd: Re: barnyard2-1.10 major problem Jack (Oct 25)
    - Re: Fwd: Re: barnyard2-1.10 major problem beenph (Oct 25)
    - Re: Fwd: Re: barnyard2-1.10 major problem Lawrence R. Hughes, Sr. (Oct 25)
    - Re: Fwd: Re: barnyard2-1.10 major problem beenph (Oct 25)

(Thread continues...)