Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] [Snort-devel] [Sguil-users] Barnyard problem

from [Eric Lauzon] Network Security [Permanent Link]
Subject: Re: [Snort-users] [Snort-devel] [Sguil-users] Barnyard problem
Date: Wed, 17 Jan 2007 13:24:36 -0500 
Greetings,

The initial issue is mainly due to the fact that original
unified output modes where writing sequentialy to the file
thus if in anyway snort was stoped intentinaly or unintentionaly
while writing one of the data chunks, i would create a corrupted file.

This issue has been partialy fixed in a patch that i submitted a while
ago
but my patch didin't cover the last unified output mode.

Thus i might re-submit a more rescent patch that completly fix this
issue
for all unified output mode.

As preventing that issue [unified log writing race condition] you
can turn down the interface on wich snort is listening [ifconfig
<inameN> down], 
resulting in pcap_loop() or pcap_dispatch() call to fail thus ensuring
that snort is currently
now writing to the unified file.

I shall send the new patch today for snort 2.6.1N serie to snort-devel
list.

I hope it might help.

-elz

 


-----Original Message-----
From: snort-devel-bounces@lists.sourceforge.net 
[mailto:snort-devel-bounces@lists.sourceforge.net] On Behalf 
Of Bamm Visscher
Sent: Wednesday, January 17, 2007 11:18 AM
To: sguil-users@lists.sourceforge.net
Cc: Snort; snort-devel@lists.sourceforge.net
Subject: Re: [Snort-devel] [Sguil-users] Barnyard problem

AFAIK, that is a bug in Snort's unified output plugin. For 
all practical purposes, the file 
/nsm/snortsrv//snort.log.1167545618 is corrupt. To recover, 
stop snort and barnyard. Then remove (or move) all the 
snort.log.####### files in /nsm/snortsrv (not the ones in 
/nsm/snortsrv/dailylogs/). Finally, remove your waldo.file 
and restart snort and barnyard.

The downside is any alert that happened after the file became 
corrupted is gone. I don't know of any fix, probably the best 
thing you can do to limit the impact this can cause again is 
to restart snort on a regular basis as snort will create a 
new unified file each time.

Bammkkkk


On 1/17/07, Smith, Brad <brad.smith@saskeds.com> wrote:

A couple of weeks ago my barnyard portion of the sensor 

just quit. Not exactly sure what happened but it won't start 
up again. The main reason seems to be the invalid packet 
length as indicated in the screen capture below. Is there a 
way to edit this file and remove the offending line of data 
or how can I recover from this. The sensor is running FreeBSD 6.1.


Thanks,

Brad

------------------------

Barnyard Version 0.2.0 (Build 32)
Command line arguments:
  Config file:           /usr/local/etc/nsm/barnyard.conf
  Spool dir:             /nsm/snortsrv/
  Gen-msg file:          gen-msg.map
  Sid-msg file:          sid-msg.map
  Class file:            Not specified
  Log dir:               Not specified
  Archive dir:           Not specified
  File base:             snort.log
  Waldo file:            /nsm/snortsrv/waldo.file
  Pid file:              Not specified
  Verbosity level:       3
  Dry run flag:          Not Set
  Batch mode flag:       Not Set
  Daemon flag:           Not Set
  New records only flag: Not Set
  Usage flag:            Not Set
  Version flag:          Not Set
Config file variables:
  Hostname:        snortsrv
  Interface:       fxp1
  BPF Filter:
  Class file:      Not specified
  Sid-msg file:    Not specified
  Gen-msg file:    Not specified
  Daemon flag:     Not Set
  Localtime flag:  Not Set
Starting data processing using information from bookmark 

file Program 

Variables:
  Continual processing mode
  Config dir:    /usr/local/etc/nsm
  Config file:   /usr/local/etc/nsm/barnyard.conf
  Sid-msg file:  /usr/local/etc/nsm/sid-msg.map
  Gen-msg file:  /usr/local/etc/nsm/gen-msg.map
  Class file:    /usr/local/etc/nsm/classification.config
  Hostname:      snortsrv
  Interface:     fxp1
  BPF Filter:
  Log dir:       /var/log/snort
  Verbosity:     3
  Localtime:     0
  Spool dir:     /nsm/snortsrv/
  Spool file:    snort.log
  Bookmark file: /nsm/snortsrv/waldo.file
  Record Number: 838345
  Timet:         1167545618
  Start at end:  0
Opened spool file '/nsm/snortsrv//snort.log.1167545618'
OpSguil configured
Connected to localhost on 7735.
Waiting for sid and cid from sensor_agent.
Sent: SidCidRequest snortsrv
Received: SidCidResponse 1 10202700
Sensor ID: 1
Last cid: 10202700
Sensor Name: snortsrv
Agent Port: 7735
ERROR: Invalid packet length: 976577328 Read error Fatal Error, 
Quitting..
Exiting




----------------------------------------------------------------------

--- Take Surveys. Earn Cash. Influence the Future of IT Join 
SourceForge.net's Techsay panel and you'll get the chance to share 
your opinions on IT & business topics through brief surveys 

- and earn 

cash 


http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEV

DEV _______________________________________________
Sguil-users mailing list
Sguil-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sguil-users




--
sguil - The Analyst Console for NSM
http://sguil.sf.net

--------------------------------------------------------------
-----------
Take Surveys. Earn Cash. Influence the Future of IT Join 
SourceForge.net's Techsay panel and you'll get the chance to 
share your opinions on IT & business topics through brief 
surveys - and earn cash 
http://www.techsay.com/default.php?page=join.php&p=sourceforge
&CID=DEVDEV
_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel



AVERTISSEMENT CONCERNANT LA CONFIDENTIALITE 

Le present message est a l'usage exclusif du ou des destinataires mentionnes 
ci-dessus. Son contenu est confidentiel et peut etre assujetti au secret 
professionnel. Si vous avez recu le present message par erreur, veuillez nous 
en aviser immediatement et le detruire en vous abstenant d'en faire une copie, 
d'en divulguer le contenu ou d'y donner suite.

CONFIDENTIALITY NOTICE

This communication is intended for the exclusive use of the addressee 
identified above. Its content is confidential and may contain privileged 
information. If you have received this communication by error, please notify 
the sender and delete the message without copying or disclosing it.

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Re: [Snort-users] [Snort-devel] [Sguil-users] Barnyard problem, Eric Lauzon <=
Previous by Date:  Re: [Snort-users] [Snort-sigs] Flowbit dependancy issue, Matt Jonkman
Next by Date:  Re: [Snort-users] [Sguil-users] Barnyard problem, Smith, Brad
Previous by Thread:  Re: [Snort-users] [Snort-sigs] Flowbit dependancy issue, Matt Jonkman
Next by Thread:  Re: [Snort-users] [Sguil-users] Barnyard problem, Smith, Brad
Indexes:  [Date] [Thread] [Top] [All Lists]