Network Security: Detailed info on Re: [Snort-users] [Sguil-users] Barnyard problem

Subject:	Re: [Snort-users] [Sguil-users] Barnyard problem
Date:	Thu, 18 Jan 2007 08:14:39 -0600

Yes, as your indicated, that was the problem. Seemed a bit drastic but it 
worked. Everything is back up and running again. Next time I won't try to solve 
the problem on my own for days before taking action. :-)
 
Brad

________________________________

From: sguil-users-bounces@lists.sourceforge.net on behalf of Bamm Visscher
Sent: Wed 1/17/2007 10:18 AM
To: sguil-users@lists.sourceforge.net
Cc: Snort; snort-devel@lists.sourceforge.net
Subject: Re: [Sguil-users] Barnyard problem



AFAIK, that is a bug in Snort's unified output plugin. For all
practical purposes, the file /nsm/snortsrv//snort.log.1167545618 is
corrupt. To recover, stop snort and barnyard. Then remove (or move)
all the snort.log.####### files in /nsm/snortsrv (not the ones in
/nsm/snortsrv/dailylogs/). Finally, remove your waldo.file and restart
snort and barnyard.

The downside is any alert that happened after the file became
corrupted is gone. I don't know of any fix, probably the best thing
you can do to limit the impact this can cause again is to restart
snort on a regular basis as snort will create a new unified file each
time.

Bammkkkk


On 1/17/07, Smith, Brad <brad.smith@saskeds.com> wrote:

A couple of weeks ago my barnyard portion of the sensor just quit. Not 
exactly sure what happened but it won't start up again. The main reason seems 
to be the invalid packet length as indicated in the screen capture below. Is 
there a way to edit this file and remove the offending line of data or how 
can I recover from this. The sensor is running FreeBSD 6.1.

Thanks,

Brad

------------------------

Barnyard Version 0.2.0 (Build 32)
Command line arguments:
  Config file:           /usr/local/etc/nsm/barnyard.conf
  Spool dir:             /nsm/snortsrv/
  Gen-msg file:          gen-msg.map
  Sid-msg file:          sid-msg.map
  Class file:            Not specified
  Log dir:               Not specified
  Archive dir:           Not specified
  File base:             snort.log
  Waldo file:            /nsm/snortsrv/waldo.file
  Pid file:              Not specified
  Verbosity level:       3
  Dry run flag:          Not Set
  Batch mode flag:       Not Set
  Daemon flag:           Not Set
  New records only flag: Not Set
  Usage flag:            Not Set
  Version flag:          Not Set
Config file variables:
  Hostname:        snortsrv
  Interface:       fxp1
  BPF Filter:
  Class file:      Not specified
  Sid-msg file:    Not specified
  Gen-msg file:    Not specified
  Daemon flag:     Not Set
  Localtime flag:  Not Set
Starting data processing using information from bookmark file
Program Variables:
  Continual processing mode
  Config dir:    /usr/local/etc/nsm
  Config file:   /usr/local/etc/nsm/barnyard.conf
  Sid-msg file:  /usr/local/etc/nsm/sid-msg.map
  Gen-msg file:  /usr/local/etc/nsm/gen-msg.map
  Class file:    /usr/local/etc/nsm/classification.config
  Hostname:      snortsrv
  Interface:     fxp1
  BPF Filter:
  Log dir:       /var/log/snort
  Verbosity:     3
  Localtime:     0
  Spool dir:     /nsm/snortsrv/
  Spool file:    snort.log
  Bookmark file: /nsm/snortsrv/waldo.file
  Record Number: 838345
  Timet:         1167545618
  Start at end:  0
Opened spool file '/nsm/snortsrv//snort.log.1167545618'
OpSguil configured
Connected to localhost on 7735.
Waiting for sid and cid from sensor_agent.
Sent: SidCidRequest snortsrv
Received: SidCidResponse 1 10202700
Sensor ID: 1
Last cid: 10202700
Sensor Name: snortsrv
Agent Port: 7735
ERROR: Invalid packet length: 976577328
Read error
Fatal Error, Quitting..
Exiting


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Sguil-users mailing list
Sguil-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sguil-users



--
sguil - The Analyst Console for NSM
http://sguil.sf.net

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Sguil-users mailing list
Sguil-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sguil-users



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [Snort-users] [Sguil-users] Barnyard problem, Smith, Brad <=

Previous by Date:	Re: [Snort-users] [Snort-devel] [Sguil-users] Barnyard problem, Eric Lauzon
Next by Date:	[Snort-users] Problem with ACID, Irfan Ahmed
Previous by Thread:	Re: [Snort-users] [Snort-devel] [Sguil-users] Barnyard problem, Eric Lauzon
Next by Thread:	[Snort-users] Problem with ACID, Irfan Ahmed
Indexes:	[Date] [Thread] [Top] [All Lists]