Re: Problems with barnyard 0.2.0 locking-up while updating sguild

Well, it's a op_sguil problem, not really a barnyard problem. It's a
known bug and op_sguil is currently being rewritten. I haven't taken
the time to really track it down since I am in the middle of the
rewrite anyway. Hopefully I can get that out sooner than later.

Bammkkkk


On Fri, 07 Jan 2005 17:15:07 -0500, Cool C <clarencehj@xxxxxxxxxxx> wrote:
> Hey all,
> 
> Barnyard runs and inserts a few records ( could be 10 to 3000 it varies)  ,
> then it fails with the following error.  I'm not sure if the unified
> snort.log.XXXXXXX  file is corrupted or not.
> 
> I get this on the barnyard terminal ouput (sometimes... not on every error):
> 
> IP header truncated! (16 bytes)
> IP header truncated! (16 bytes)
> 
> And on the sguild  terminal  at the same time I get the following:
> 
> can't read "sip(hostname.domain.domain.com)": variable isn't array
>     while executing
> "subst -nobackslashes -nocommands $tmpMsg"
>     (procedure "EmailEvent" line 23)
>     invoked from within
> "EmailEvent $eventDataList"
>     (procedure "EventRcvd" line 39)
>     invoked from within
> "EventRcvd $socketID $data "
>     ("RTEvent" arm line 1)
>     invoked from within
> "switch -exact -- $sensorCmd {
>       RTEvent   { EventRcvd $socketID $data }
>       PSFile    { RcvPortscanFile $socketID [lindex $data 1] }
>       CONNE..."
>     (procedure "SensorCmdRcvd" line 20)
>     invoked from within
> "SensorCmdRcvd sock13"
> 
> sguild is still working after barnyard fails because the session updates
> from stream4, and sancp are making there way into the mysql database.  The
> barnyard process must be "kill -9 'd "  then restarted.  It will run and do
> one of two things;
> 
> 1)  It will stop at the point it did initially and complain about a
> duplicate  cid record exists.
> 
> 2)  Or it will continue to process the file then fail again later on with
> the same error.
> 
> Everything else is OK... for example sancp  1.6.0 ,  stream4  output, sguil
> client and sensor_agent.tcl updates without issue.
> 
> It appears that  barnyard (0.2.0)  hangs/locks-up whenever the error above
> is encountered.      Is there anything I can do to verify that barnyard is
> failing to read the snort.log.XXXXXX  file  correctly or if its just
> formatting incorrectly before sending the data to the sguild daemon?
> 
> I am using snort  Version 2.3.0RC2 (Build 9).  Do you recommend trying an
> earlier version of snort?  I thought snort may have been getting overloaded
> but I commented out a few of the rules and manually sent bogus packets and
> after about 20 bogus packets I received the same error?  The hostname is
> always showing up in the sip field.
> 
> Any help would be greatly appreciated!
> 
> -------------------------------------------
> #  /usr/local/bin/barnyard -vvvvvvvvvvvvvvvvv  -c
> /usr/local/snort/etc/barnyard.conf -L /extra/snort_data/localhost -d
> /extra/snort_data/localhost -g /usr/local/snort/etc/gen-msg.map -s
> /usr/local/snort/etc/sid-msg.map -f snort.log -w
> /usr/local/snort/etc/waldo.file
> Barnyard Version 0.2.0 (Build 32)
> Command line arguments:
>   Config file:           /usr/local/snort/etc/barnyard.conf
>   Spool dir:             /extra/snort_data/localhost
>   Gen-msg file:          /usr/local/snort/etc/gen-msg.map
>   Sid-msg file:          /usr/local/snort/etc/sid-msg.map
>   Class file:            Not specified
>   Log dir:               /extra/snort_data/localhost
>   Archive dir:           Not specified
>   File base:             snort.log
>   Waldo file:            /usr/local/snort/etc/waldo.file
>   Pid file:              Not specified
>   Verbosity level:       17
>   Dry run flag:          Not Set
>   Batch mode flag:       Not Set
>   Daemon flag:           Not Set
>   New records only flag: Not Set
>   Usage flag:            Not Set
>   Version flag:          Not Set
> Config file variables:
>   Hostname:        localhost
>   Interface:       eth0
>   BPF Filter:      not port 22
>   Class file:      Not specified
>   Sid-msg file:    Not specified
>   Gen-msg file:    Not specified
>   Daemon flag:     Not Set
>   Localtime flag:  Set
> Starting data processing using information from bookmark file
> Program Variables:
>   Continual processing mode
>   Config dir:    /usr/local/snort/etc
>   Config file:   /usr/local/snort/etc/barnyard.conf
>   Sid-msg file:  /usr/local/snort/etc/sid-msg.map
>   Gen-msg file:  /usr/local/snort/etc/gen-msg.map
>   Class file:    /usr/local/snort/etc/classification.config
>   Hostname:      localhost
>   Interface:     eth0
>   BPF Filter:    not port 22
>   Log dir:       /extra/snort_data/localhost
>   Verbosity:     17
>   Localtime:     1
>   Spool dir:     /extra/snort_data/localhost
>   Spool file:    snort.log
>   Bookmark file: /usr/local/snort/etc/waldo.file
>   Record Number: 127
>   Timet:         1105131294
>   Start at end:  0
> Opened spool file '/extra/snort_data/localhost/snort.log.1105131294'
> OpLogDump configured
>   Filename: dump.log
> OpSguil_Start
> sensor_id == 1
> OpAcidDB configuration details
> Database Flavour: mysql
> Database Server: localhost
> Database User: root
> SensorID: 1
> Sguild Host: localhost
> Sguild Port: 7736
> Barnyard will sleep(15) if unable to connect to sguild.
> 
> Snort    Version 2.3.0RC2 (Build 9)
> 
> var HOME_NET any
> var EXTERNAL_NET any
> var DNS_SERVERS $HOME_NET
> var SMTP_SERVERS $HOME_NET
> var HTTP_SERVERS $HOME_NET
> var SQL_SERVERS $HOME_NET
> var TELNET_SERVERS $HOME_NET
> var SNMP_SERVERS $HOME_NET
> var HTTP_PORTS 80
> var SHELLCODE_PORTS !80
> var ORACLE_PORTS 1521
> var AIM_SERVERS
> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
> var RULE_PATH /usr/local/snort/rules
> preprocessor flow: stats_interval 0 hash 2
> preprocessor frag2:
> preprocessor stream4: detect_scans, disable_evasion_alerts
> preprocessor stream4_reassemble: both
> preprocessor http_inspect: global \
>     iis_unicode_map unicode.map 1252
> preprocessor http_inspect_server: server default \
>     profile all ports { 80  } oversize_dir_length 550
> preprocessor rpc_decode: 111 32771
> preprocessor bo
> preprocessor telnet_decode
> preprocessor portscan: $HOME_NET 200 3 /extra/snort_data/localhost/portscans
> localhost
> output log_unified: filename snort.log, limit 1
> include classification.config
> include reference.config
> include $RULE_PATH/local.rules
> include $RULE_PATH/bad-traffic.rules
> include $RULE_PATH/exploit.rules
> 
> Clarence
> clarencehj@xxxxxxxxx
> 
> -------------------------------------------------------
> The SF.Net email is sponsored by: Beat the post-holiday blues
> Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
> It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
> _______________________________________________
> Barnyard-users mailing list
> Barnyard-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/barnyard-users
> 


-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt