Re: problem in using barnyard2 in batch mode

[beenph <beenph () gmail com>]

On Thu, Nov 8, 2012 at 4:34 PM, Michael Steele <michaels () winsnort com> wrote:
> With Barnyard2 1.11 build316 there is a new addition to the configuration:
>
> # Set the event cache size to defined max value before recycling of event
> occur.
> #
> #
> #config event_cache_size: 4096
>
> I was told that incrementing the value up until the 'Warning:' goes away, is
> the way silence them?

Its not the same type of warning, the setting is for Lonely packets
and not lonely events.

LONELY PACKETS
WARNING database [Database()]: Called with Event[0x0] Event Type [7]
(P)acket [0xXXXXXXXX], information has not been outputed.

LONELY EVENTS
WARNING database [Database()]: Called with Event[0xXXXXXXXX] Event
Type [7] (P)acket [0x0], information has not been outputed.

-elz



> Michael...
>
> -----Original Message-----
> From: beenph [mailto:beenph () gmail com]
> Sent: Thursday, November 08, 2012 12:33 PM
> To: ARUN PUSHKAR
> Cc: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] problem in using barnyard2 in batch mode
>
> On Thu, Nov 8, 2012 at 8:25 AM, ARUN PUSHKAR <arunpushkar () gmail com> wrote:
> > i am getting following error when i am running barnyard2 in batch mode
> >
> > WARNING database [Database()]: Called with Event[0x8e33780] Event Type
> > [7] (P)acket [0x0], information has not been outputed.
> >
> > can some one help in finding possible reason
> Greetings Arun,
> what you are seeing is a WARNING (now renamed INFO) message.
> This message is generated by the output plugin, and tell you that it
> received a event without a packet.
>
> Whats this mean literally is that in the unified2 file its possible that
> there is some event record that are not associated with packet record, and
> they are not logged.
>
> I would like to note that you would receive those warning in continuous mode
> and also in batch mode, this does not make any differences.
>
> If you see this message alot then you might want to look at your snort
> configuration file and see which unified2 output mode you have configured.
>
>
> output alert_unified2: xxxxxx
> OR
> output log_unified2: xxxxxx
> OR
> output unified2: xxxxxxxx
>
> barnyard2 currently work better/optimaly in 2-1.x with output unified2.
>
> -elz
>
> ----------------------------------------------------------------------------
> --
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics Download AppDynamics Lite for
> free today:
> http://p.sf.net/sfu/appdyn_d2d_nov
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_nov
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!