--On Tuesday, July 26, 2005 15:47:05 -0500 Dusty Hall <halljer@xxxxxxxxxx>
wrote:
I'm running BY on OpenBSD 3.7 (ultra 5 / sparc64) along with one
instance of snort. When I start BY it fails with "ERROR: Invalid packet
length: nnnnn". I've deleted the unified log several times and still
get the same message. The NIC is a Intel PRO/1000MT (82545EM) that
seems to work flawlessly. I'm not seeing any errors in dmesg or
/var/log/messages. Startup, dry run and by.conf are below. Thoughts?
This isn't going to fix your problem, but you can shorten your startup line
considerably. Just add:
config sid-msg-map: /etc/nsm/sid-msg.map
config gen-msg-map: /etc/nsm/gen-msg.map
config class-file: /etc/nsm/classification.config
to the config section of your conf file. Then you don't have to call them
from the commandline. It's documented in the source. :-)
Also, you don't need the config hostname, config interface or config
filter: not port 22 lines. You can comment those out (unless you're using
them for acid.) They're only used by acid.
You should add config daemon so barnyard can run in daemon mode.
Try dropping the -w switch and see if barnyard runs OK. You don't need a
waldo file until you get barnyard running, and it can override the -d and
-f switches. If the waldo file is screwed up, it could be causing your
problem. Once you get barnyard starting OK, just add it back in.
#####
sh# /usr/local/bin/barnyard -c /etc/nsm/barnyard.conf -d /nsm -p
/etc/nsm/classification.config -g /etc/nsm/gen-msg.map -s
/etc/nsm/sid-msg.map -f betty_unified -w /nsm/waldo.file -X
/nsm/run/barnyard.pid
Barnyard Version 0.2.0 (Build 32)
Opened spool file '/nsm/betty_unified.1122408003'
OpSguil_Start
ERROR: Invalid packet length: 1179661
Read error
Fatal Error, Quitting..
Exiting
#####
Dry run mode:
Barnyard Version 0.2.0 (Build 32)
Program Variables:
Continual processing mode
Config dir: /etc/nsm
Config file: /etc/nsm/barnyard.conf
Sid-msg file: /etc/nsm/sid-msg.map
Gen-msg file: /etc/nsm/gen-msg.map
Class file: /etc/nsm/classification.config
Hostname: betty
Interface: em0
BPF Filter: not port 22
Log dir: /var/log/snort
Verbosity: 0
Localtime: 0
Spool dir: /nsm
Spool file: betty_unified
Bookmark file: /nsm/waldo.file
Record Number: 0
Timet: 0
Start at end: 0
Output plugins enabled for 'alert' records
-------------------------------------------------------
None configured
=======================================================
Output plugins enabled for 'log' records
-------------------------------------------------------
OpSguil configured
=======================================================
Output plugins enabled for 'stream_stat' records
-------------------------------------------------------
None configured
=======================================================
#####
barnyard.conf:
config hostname: betty
config interface: em0
config filter: not port 22
output sguil: mysql, sensor_id 0, database sguildb....
Paul Schmehl (pauls@xxxxxxxxxxxx)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
|
