Barnyard 'Invalid packet length' error

["Wolf, Brian" <Brian.Wolf () richardson k12 tx us>]

I'm trying to get barnyard working with snort, but it always fails with
an "Invalid packet length" error.  My setup is:

        RedHat Enterprise AS 3
        snort 2.1.2
        barnyard 0.2.0
        mysql 12.22 Distrib 4.0.18


Snort, barnyard, and mysql were all built from source and are running on
the same machine.  Snort can successfully log directly to mySql if I use
the "output database" option.



Snort output config:

                output alert_unified: filename snort.binalert, limit 128
                output log_unified: filename snort.binlog, limit 128



Snort command line:

                /usr/local/snort/bin/snort -i eth0 -D -X -o -c
/usr/local/snort/snort.conf -l /usr/local/snort/log



Barnyard config:

                config hostname: localhost
                config interface: lo
                config filter: not port 22
                output log_acid_db: mysql, database snort, server
localhost, user snort, password <passwd>, detail full


Barnyard command line:

                /usr/local/snort/bin/barnyard -c
/usr/local/snort/barnyard.conf \
                                              -d /usr/local/snort/log \
                                              -w
/usr/local/snort/bin/waldo.chk \
                                              -f snort.binlog \
                                              -g
/usr/local/snort/rules/gen-msg.map \
                                              -s
/usr/local/snort/rules/sid-msg.map


Run results:

                /usr/local/snort/bin/barnyard -c
/usr/local/snort/barnyard.conf -d /usr/local/snort/log -w
/usr/local/snort/bin/waldo.chk -f snort.binlog \ 
                     -g /usr/local/snort/rules/gen-msg.map -s
/usr/local/snort/rules/sid-msg.map
                Barnyard Version 0.2.0 (Build 32)
                Opened spool file
'/usr/local/snort/log/snort.binlog.1090597145'
                ERROR: Invalid packet length: 299008
                Read error
                Fatal Error, Quitting..
                Exiting
                [


The number listed as the invalid packet length changes from run to run,
suggesting that either Snort isn't writing the packet size or that
Barnyard isn't looking for it in the right location.

Here is the beginning of the log file listed in the above run, although
the problem occurs with any log file

        od -x  /usr/local/snort/log/snort.binlog.1090597145

                0000000 1080 dead 0001 0002 b9b0 ffff 0000 0000
                0000020 05ea 0000 0001 0000 0001 0000 01d2 0000
                0000040 0001 0000 0004 0000 0002 0000 0005 0000
                0000060 0005 0000 3134 4101 3a4a 000e 0000 8000
                0000100 3134 4101 3a4a 000e 004a 0000 004a 0000
                0000120 0400 59dc 08da 0600 5cd7 c5e9 0008 0045
                0000140 3c00 da8f 0000 0120 2fc1 c7a5 92fa c7a5
                0000160 9603 0008 5d07 0003 0145 4241 4443 4645
                0000200 4847 4a49 4c4b 4e4d 504f 5251 5453 5655
                0000220 4157 4342 4544 4746 4948 0001 0000 01d2
                0000240 0000 0001 0000 0104 0000 1200 0004 0600
                0000260 0000 1b00 0000 0200 0000 2f00 0000 2f00
                0000300 0000 4f00 0131 1d41 031d 9000 0004 4f80
                0000320 0131 1d41 031d ee00 0000 ee00 0000 0000
                0000340 c708 0afa 009e b302 e75f 083e 4500 0000
                0000360 abe0 0094 3b00 8006 42a5 62a9 a51d 08c7
                0000400 0d51 0021 a650 ae84 d90b cbdb 5087 ff18
                0000420 daff 00ac 5000 4f52 4650 4e49 2044 732f
                0000440 6863 6f6f 736c 4820 5454 2f50 2e31 0d31
                0000460 440a 7065 6874 203a 0d30 740a 6172 736e
                0000500 616c 6574 203a 0d66 550a 6573 2d72 6741
                0000520 6e65 3a74 4d20 6369 6f72 6f73 7466 572d




Any suggestions?


- Brian