Snort mailing list archives
Barnyard2 process quits when Output:alert_bro is enabled
From: Jeremy Cox <jeremy.cox () washk12 org>
Date: Fri, 17 Jan 2014 14:33:08 -0700
Anytime I enable the Bro2 alert in the Barnyard2 Config file, Barnyard2 starts right up and runs the standard checks, looks like it will start working and then suddenly stops without any warning message whatsoever. For example: sudo barnyard2 -c /etc/suricata/barnyard2.conf -d /mnt/iscsi/suricata/log -f unified2.alert -w /mnt/iscsi/suricata/log/suricata.waldo -vvv Running in Continuous mode --== Initializing Barnyard2 ==-- Initializing Input Plugins! Initializing Output Plugins! Parsing config file "/etc/suricata/barnyard2.conf" Log directory = /var/log/barnyard2 alert_bro Connecting to Bro (10.0.67.186:47762)...done. --== Initialization Complete ==-- ______ -*> Barnyard2 <*- / ,,_ \ Version 2.1.9 (Build 263) |o" )~| By the SecurixLive.com Team: http://www.securixlive.com/about.php + '''' + (C) Copyright 2008-2010 SecurixLive. Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2007 Sourcefire Inc., et al. Using waldo file '/mnt/iscsi/suricata/log/suricata.waldo': spool directory = /mnt/iscsi/suricata/log spool filebase = unified2.alert time_stamp = 1389914653 record_idx = 25442 Opened spool file '/mnt/iscsi/suricata/log/unified2.alert.1389914653' The process stops at this point. If I compile Barnyard2 with debugging enabled I get this: sudo barnyard2 -c /etc/suricata/barnyard2.conf -d /mnt/iscsi/suricata/log -f unified2.alert -w /mnt/iscsi/suricata/log/suricata.waldo -v -e Running in Continuous mode --== Initializing Barnyard2 ==-- Initializing Input Plugins! Initializing Output Plugins! Parsing config file "/etc/suricata/barnyard2.conf" Log directory = /var/log/barnyard2 alert_bro Connecting to Bro (10.0.67.186:47762)...done. ------------------------------------------------- Keyword | Input @ ------------------------------------------------- unified2 : init() = 0x4314c6 unified2 : - readRecordHeader() = 0x431539 unified2 : - readRecord() = 0x4316f8 ------------------------------------------------- ------------------------------------------------- Keyword | Output @ ------------------------------------------------- alert_syslog : 0x4267fb log_tcpdump : 0x4291b3 database : 0x42cd13 alert_fast : 0x425419 alert_full : 0x426021 alert_unixsock: 0x427da3 alert_csv : 0x4240e0 log_null : 0x429097 log_ascii : 0x428413 alert_bro : 0x423773 alert_test : 0x427627 platypus : 0x42a058 sguil : 0x42bc14 ------------------------------------------------- --== Initialization Complete ==-- ______ -*> Barnyard2 <*- / ,,_ \ Version 2.1.9 (Build 263) DEBUG |o" )~| By the SecurixLive.com Team: http://www.securixlive.com/about.php + '''' + (C) Copyright 2008-2010 SecurixLive. Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2007 Sourcefire Inc., et al. Using waldo file '/mnt/iscsi/suricata/log/suricata.waldo': spool directory = /mnt/iscsi/suricata/log spool filebase = unified2.alert time_stamp = 1389914653 record_idx = 25443 Opened spool file '/mnt/iscsi/suricata/log/unified2.alert.1389914653' IP Len field is 6 bytes smaller than captured length. (ip.len: 40, cap.len: 46) IP Len field is 6 bytes smaller than captured length. (ip.len: 40, cap.len: 46) IP Len field is 6 bytes smaller than captured length. (ip.len: 40, cap.len: 46) The important section of the Barnyard Config file looks like this: input unified2 output alert_bro: 10.0.67.186:47762 output alert_fast: stdout If I comment out the "output alert_bro: 10.0.67.186:47762" then Barnyard executes as expected and I see the Fast Alerts scroll on the screen. *Jeremy Cox* Senior Network Engineer, ISO *Washington County School District*121 W Tabernacle - St. George - UT 435-634-4315 www.washk12.org 687474703a2f2f7777772e7375706572746563686775792e636f6d IMPORTANT NOTICE REGARDING THIS ELECTRONIC COMMUNICATION: This e-mail, including any attachments thereto, contains information that may be confidential or privileged, and is intended solely for the individual or entity to whom it is addressed. Recipient is hereby notified that any disclosure, copying or distribution of this message is strictly prohibited. IF YOU ARE NOT THE INTENDED RECIPIENT, please notify the originator of this e-mail immediately and destroy all information received. Thank you.
------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Barnyard2 process quits when Output:alert_bro is enabled Jeremy Cox (Jan 17)
- Re: Barnyard2 process quits when Output:alert_bro is enabled Jeremy Cox (Jan 21)
- Re: Barnyard2 process quits when Output:alert_bro is enabled SnortFan (Jan 22)
- Re: Barnyard2 process quits when Output:alert_bro is enabled Jeremy Cox (Jan 21)