AFAIK, that is a bug in Snort's unified output plugin. For all
practical purposes, the file /nsm/snortsrv//snort.log.1167545618 is
corrupt. To recover, stop snort and barnyard. Then remove (or move)
all the snort.log.####### files in /nsm/snortsrv (not the ones in
/nsm/snortsrv/dailylogs/). Finally, remove your waldo.file and restart
snort and barnyard.
The downside is any alert that happened after the file became
corrupted is gone. I don't know of any fix, probably the best thing
you can do to limit the impact this can cause again is to restart
snort on a regular basis as snort will create a new unified file each
time.
Bammkkkk
On 1/17/07, Smith, Brad <brad.smith@saskeds.com> wrote:
> A couple of weeks ago my barnyard portion of the sensor just quit. Not
> exactly sure what happened but it won't start up again. The main reason seems
> to be the invalid packet length as indicated in the screen capture below. Is
> there a way to edit this file and remove the offending line of data or how
> can I recover from this. The sensor is running FreeBSD 6.1.
>
> Thanks,
>
> Brad
>
> ------------------------
>
> Barnyard Version 0.2.0 (Build 32)
> Command line arguments:
> Config file: /usr/local/etc/nsm/barnyard.conf
> Spool dir: /nsm/snortsrv/
> Gen-msg file: gen-msg.map
> Sid-msg file: sid-msg.map
> Class file: Not specified
> Log dir: Not specified
> Archive dir: Not specified
> File base: snort.log
> Waldo file: /nsm/snortsrv/waldo.file
> Pid file: Not specified
> Verbosity level: 3
> Dry run flag: Not Set
> Batch mode flag: Not Set
> Daemon flag: Not Set
> New records only flag: Not Set
> Usage flag: Not Set
> Version flag: Not Set
> Config file variables:
> Hostname: snortsrv
> Interface: fxp1
> BPF Filter:
> Class file: Not specified
> Sid-msg file: Not specified
> Gen-msg file: Not specified
> Daemon flag: Not Set
> Localtime flag: Not Set
> Starting data processing using information from bookmark file
> Program Variables:
> Continual processing mode
> Config dir: /usr/local/etc/nsm
> Config file: /usr/local/etc/nsm/barnyard.conf
> Sid-msg file: /usr/local/etc/nsm/sid-msg.map
> Gen-msg file: /usr/local/etc/nsm/gen-msg.map
> Class file: /usr/local/etc/nsm/classification.config
> Hostname: snortsrv
> Interface: fxp1
> BPF Filter:
> Log dir: /var/log/snort
> Verbosity: 3
> Localtime: 0
> Spool dir: /nsm/snortsrv/
> Spool file: snort.log
> Bookmark file: /nsm/snortsrv/waldo.file
> Record Number: 838345
> Timet: 1167545618
> Start at end: 0
> Opened spool file '/nsm/snortsrv//snort.log.1167545618'
> OpSguil configured
> Connected to localhost on 7735.
> Waiting for sid and cid from sensor_agent.
> Sent: SidCidRequest snortsrv
> Received: SidCidResponse 1 10202700
> Sensor ID: 1
> Last cid: 10202700
> Sensor Name: snortsrv
> Agent Port: 7735
> ERROR: Invalid packet length: 976577328
> Read error
> Fatal Error, Quitting..
> Exiting
>
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Sguil-users mailing list
> Sguil-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sguil-users
>
--
sguil - The Analyst Console for NSM
http://sguil.sf.net
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
|