Snort mailing list archives
Re: Barnyard2 creating lots of tcpdump files
From: beenph <beenph () gmail com>
Date: Wed, 23 Nov 2011 13:20:28 -0500
On Wed, Nov 23, 2011 at 4:46 AM, Peter Bates <peter.bates () ucl ac uk> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all... I apologise this isn't strictly a Snort issue - but a problem with Barnyard2. IDS is writing 'unified2.alert.xxx' fine as expected - file updates happily.
Greetings peter, We have a mailing list for barnyard2 which you can use for barnyard2 related issue : barnyard2-users () googlegroups com. What type of unified2 output mode do you use in snort?
My barnyard2.conf specifies: output alert_syslog: LOG_LOCAL1 output log_tcpdump: tcpdump.log output database: log, mysql, dbname=xyzzy host=localhost user=plugh password=plover detail=full
The problem I'm seeing which is new to me is that tcpdump.log files are being made almost every minute: - -rw-------. 1 root root 581 Nov 23 09:43 tcpdump.log.1322041395 - -rw-------. 1 root root 1.6K Nov 23 09:42 tcpdump.log.1322041364 - -rw-------. 1 root root 328 Nov 23 09:42 tcpdump.log.1322041362 - -rw-------. 1 root root 536 Nov 23 09:42 tcpdump.log.1322041363 - -rw-------. 1 root root 1.1K Nov 23 09:42 tcpdump.log.1322041356 - -rw-------. 1 root root 125 Nov 23 09:42 tcpdump.log.1322041353 - -rw-------. 1 root root 2.1K Nov 23 09:42 tcpdump.log.1322041345 I'm running Barnyard2 at the moment foregrounded and with -v but other than the occasional: NULL header length < captured len! (0 bytes) NULL header length < captured len! (0 bytes) It shows no other errors. Has anyone else ever seen this? - -- Peter Bates Senior Computer Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOzMEKAAoJELhVoVpEMS6R+sQH+gNSOOFmEMshX7LFLT9uwDXW rTKR6/Tl4Tt6AijSGyhByc4yG/Dp+cfNXxUSiXtD19aPlq3wyDqowv5hXAtwKWdV nCJgHc7B5+Fvc3HczjkRB8B6nu1DZtRT7bF+sc4fbfTFq171iOtZhp0gBbPPKyU1 Dm3eS25NavwAzE0HEsugWSm/KsqVfkHexOGCrVN65itffLci82ePGqoCaCUHpiGa wvoddYJVdWhgRvxcT++r6aIvXwIkXgwATubyrAW/q39VYBwmmX4dhYNxdjlSh4+C 5+wyf8iQGphQbkSor4X0CHCEW8GOxYkuqabah0q+QnHQTyLGQwow+RiSHpzBBe8= =u6xt -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Barnyard2 creating lots of tcpdump files Peter Bates (Nov 23)
- Re: Barnyard2 creating lots of tcpdump files beenph (Nov 23)