Deviin,
I've seen multiple reports of this but never seen it myself. I cc'd
the barnyard-users list on my reply. Maybe Andrew can give us some
input.
Maybe if someone could send a borken unified log to the snort dev team?
Bammkkkk
On 6/28/06, Devin Kowatch <dkowatch@xxxxxxxx> wrote:
> Hi,
>
> I've had barnyard dying on me occasionally, while reading snort's
> log_unified output.
>
> Under snort 2.4.3 Barnyard would die with an "Invalide packet length"
> error. After some investigation, it was looking like barnyard was
> reading the file correctly (using od to dump the file and matching that
> to what barnyard was reading). So I figured the problem with either
> that snort was corrupting the file, or there was an incompatability
> between barnyard and snort. In any event, I upgraded to snort 2.6.0 to
> see if that fixed the problem.
>
> Now under snort 2.6.0 Barnyard is dying with "FATAL ERROR: Out of memory
> (wanted 4230306464 bytes)". Using gdb this appears to be happening in
> the same function that the "Invalid packet length" error message happens
> in (specifically LogDpReadRecord). In this case the cause appears to be
> the same as before. Which is to say that the caplen field of the
> UnifiedLog record header is way to large [1].
>
> I've seen some other reports of this problem, but haven't found any
> resolution to it. I'm hoping that is just because I haven't looked in
> the right places, but if not, then hopefully I can be of some help
> figuring out what is going wrong.
>
> I get the same error if I run barnyard in daemon mode using the sguil
> ouput plugin, or if I run it in one shot mode using the default config
> file. All of this is running on an Intel P4 using CentOS. My snort
> output configuration is:
>
> output alert_unified: filename snort.alert, limit 512
> output log_unified: filename snort.log, limit 512
>
> Any help would be greatly appreciated.
> Thanks,
> -devink
>
>
>
> [1] Barnyard has a sanity check which is supposed to catch excessively
> large caplens. When that sanity check fails it leads to the "Invalid
> packet length" error message. In this case the sanity check is not
> failing because barnyard is converting SnortPktHeader.caplen from an
> unsigned value to a signed value prior to performing the sanity check.
> Because the value in this case is so large, when the sanity check is
> performed, the caplen value is negative, and thus passes the sanity
> check. After that it tries to allocate a bunch of memory and fails.
> The signed/unsigned thing is probably a separate bug in barnyard, but
> I'm not completely sure where to report it. Or is this the correct
> forum?
>
> --
> Devin Kowatch
> Sony Computer Entertainment of America
> dkowatch@xxxxxxxx
>
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users@xxxxxxxxxxxxxxxxxxxxx
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
--
sguil - The Analyst Console for NSM
http://sguil.sf.net
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@xxxxxxxxxxxxxxxxxxxxx
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
|
