Hi .*!
I've tried to run barnyard 0.2.0 (build 32) to process the
unified alert files generated by snort 2.8.0 but unfortunately
it dumps core. e.g.:
debian3164m:/var/log/snort#
Barnyard Version 0.2.0 (Build 32)
Segmentation fault (core dumped)
This happens on:
debian3164m:~# cat /etc/debian_version
4.0
debian3164m:~# uname -a
Linux debian3164m 2.6.8-12-amd64-k8-smp #1 SMP Thu Dec 7 18:44:52 UTC 2006
x86_64 GNU/Linux
with snort:
debian3164m:~# snort -V
,,_ -*> Snort! <*-
o" )~ Version 2.8.0 (Build 67) inline
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2007 Sourcefire Inc., et al.
Using PCRE version: 6.7 04-Jul-2006
Running barnyard in the dry-run mode it says:
debian3164m:~# barnyard -c /etc/snort/barnyard.conf -d /var/log/snort -g
/etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -R -o snort.alert.1193349572
Barnyard Version 0.2.0 (Build 32)
Program Variables:
Batch processing mode
Config dir: /etc/snort
Config file: /etc/snort/barnyard.conf
Sid-msg file: /etc/snort/sid-msg.map
Gen-msg file: /etc/snort/gen-msg.map
Class file: /etc/snort/classification.config
Hostname: ypbind.de
Interface: eth0
BPF Filter:
Log dir: /root
Verbosity: 0
Localtime: 0
File list:
/var/log/snort/snort.alert.1193349572
Output plugins enabled for 'alert' records
-------------------------------------------------------
OpAlertFast configured
Filename: fast.alert
=======================================================
Output plugins enabled for 'log' records
-------------------------------------------------------
OpLogDump configured
Filename: dump.log
OpLogPcap configured
Filename: barnyard.pcap
=======================================================
Output plugins enabled for 'stream_stat' records
-------------------------------------------------------
None configured
=======================================================
So I tried to recompile with --enable-debug but this doesn't even compile:
gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../.. -I../../src -I/usr/include/pcap
-g -O2 -Wall -DDEBUG -ggdb -c dp_stream_stat.c
dp_stream_stat.c: In function 'StreamStatDpReadFileHeader':
dp_stream_stat.c:104: warning: format '%d' expects type 'int', but argument 4
has type 'ssize_t'
dp_stream_stat.c:104: warning: format '%d' expects type 'int', but argument 5
has type 'long unsigned int'
dp_stream_stat.c:112: error: 'StreamStatFileHeader' has no member named 'magic'
make[3]: *** [dp_stream_stat.o] Error 1
make[3]: Leaving directory `/home/maus/tmp/barnyard-0.2.0/src/input-plugins'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/home/maus/tmp/barnyard-0.2.0/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/maus/tmp/barnyard-0.2.0'
make: *** [all-recursive-am] Error 2
It will compile if I comment the offending line in dp_stream_stat.c:112:
112: printf(" Magic = 0x%X\n", file_header.magic);
but does that help if I compile it like this and submit the backtrace of the
generated core file ?
Any help?
So long,
Andreas.
P.S.: I attached my barnyard.conf to this message.
--
"Things that try to look like things often do
look more like things than things. Well-known fact."
Granny Weatherwax - "Wyrd sisters"
barnyard.conf
Description: Text document
pgpqiicUxyIoC.pgp
Description: PGP signature
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________
Barnyard-users mailing list
Barnyard-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/barnyard-users
| 
