Hey all,
Barnyard runs and inserts a few records ( could be 10 to 3000 it varies) ,
then it fails with the following error. I'm not sure if the unified
snort.log.XXXXXXX file is corrupted or not.
I get this on the barnyard terminal ouput (sometimes... not on every error):
IP header truncated! (16 bytes)
IP header truncated! (16 bytes)
And on the sguild terminal at the same time I get the following:
can't read "sip(hostname.domain.domain.com)": variable isn't array
while executing
"subst -nobackslashes -nocommands $tmpMsg"
(procedure "EmailEvent" line 23)
invoked from within
"EmailEvent $eventDataList"
(procedure "EventRcvd" line 39)
invoked from within
"EventRcvd $socketID $data "
("RTEvent" arm line 1)
invoked from within
"switch -exact -- $sensorCmd {
RTEvent { EventRcvd $socketID $data }
PSFile { RcvPortscanFile $socketID [lindex $data 1] }
CONNE..."
(procedure "SensorCmdRcvd" line 20)
invoked from within
"SensorCmdRcvd sock13"
sguild is still working after barnyard fails because the session updates
from stream4, and sancp are making there way into the mysql database. The
barnyard process must be "kill -9 'd " then restarted. It will run and do
one of two things;
1) It will stop at the point it did initially and complain about a
duplicate cid record exists.
2) Or it will continue to process the file then fail again later on with
the same error.
Everything else is OK... for example sancp 1.6.0 , stream4 output, sguil
client and sensor_agent.tcl updates without issue.
It appears that barnyard (0.2.0) hangs/locks-up whenever the error above
is encountered. Is there anything I can do to verify that barnyard is
failing to read the snort.log.XXXXXX file correctly or if its just
formatting incorrectly before sending the data to the sguild daemon?
I am using snort Version 2.3.0RC2 (Build 9). Do you recommend trying an
earlier version of snort? I thought snort may have been getting overloaded
but I commented out a few of the rules and manually sent bogus packets and
after about 20 bogus packets I received the same error? The hostname is
always showing up in the sip field.
Any help would be greatly appreciated!
-------------------------------------------
# /usr/local/bin/barnyard -vvvvvvvvvvvvvvvvv -c
/usr/local/snort/etc/barnyard.conf -L /extra/snort_data/localhost -d
/extra/snort_data/localhost -g /usr/local/snort/etc/gen-msg.map -s
/usr/local/snort/etc/sid-msg.map -f snort.log -w
/usr/local/snort/etc/waldo.file
Barnyard Version 0.2.0 (Build 32)
Command line arguments:
Config file: /usr/local/snort/etc/barnyard.conf
Spool dir: /extra/snort_data/localhost
Gen-msg file: /usr/local/snort/etc/gen-msg.map
Sid-msg file: /usr/local/snort/etc/sid-msg.map
Class file: Not specified
Log dir: /extra/snort_data/localhost
Archive dir: Not specified
File base: snort.log
Waldo file: /usr/local/snort/etc/waldo.file
Pid file: Not specified
Verbosity level: 17
Dry run flag: Not Set
Batch mode flag: Not Set
Daemon flag: Not Set
New records only flag: Not Set
Usage flag: Not Set
Version flag: Not Set
Config file variables:
Hostname: localhost
Interface: eth0
BPF Filter: not port 22
Class file: Not specified
Sid-msg file: Not specified
Gen-msg file: Not specified
Daemon flag: Not Set
Localtime flag: Set
Starting data processing using information from bookmark file
Program Variables:
Continual processing mode
Config dir: /usr/local/snort/etc
Config file: /usr/local/snort/etc/barnyard.conf
Sid-msg file: /usr/local/snort/etc/sid-msg.map
Gen-msg file: /usr/local/snort/etc/gen-msg.map
Class file: /usr/local/snort/etc/classification.config
Hostname: localhost
Interface: eth0
BPF Filter: not port 22
Log dir: /extra/snort_data/localhost
Verbosity: 17
Localtime: 1
Spool dir: /extra/snort_data/localhost
Spool file: snort.log
Bookmark file: /usr/local/snort/etc/waldo.file
Record Number: 127
Timet: 1105131294
Start at end: 0
Opened spool file '/extra/snort_data/localhost/snort.log.1105131294'
OpLogDump configured
Filename: dump.log
OpSguil_Start
sensor_id == 1
OpAcidDB configuration details
Database Flavour: mysql
Database Server: localhost
Database User: root
SensorID: 1
Sguild Host: localhost
Sguild Port: 7736
Barnyard will sleep(15) if unable to connect to sguild.
Snort Version 2.3.0RC2 (Build 9)
var HOME_NET any
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH /usr/local/snort/rules
preprocessor flow: stats_interval 0 hash 2
preprocessor frag2:
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble: both
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 } oversize_dir_length 550
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 200 3 /extra/snort_data/localhost/portscans
localhost
output log_unified: filename snort.log, limit 1
include classification.config
include reference.config
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
Clarence
clarencehj@xxxxxxxxx
-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
|
