Re: [Snort-users] [Snort-devel] [Sguil-users] Barnyard problem

["Eric Lauzon" <eric.lauzon@abovesecurity.com>]

Greetings,

The initial issue is mainly due to the fact that original
unified output modes where writing sequentialy to the file
thus if in anyway snort was stoped intentinaly or unintentionaly
while writing one of the data chunks, i would create a corrupted file.

This issue has been partialy fixed in a patch that i submitted a while
ago
but my patch didin't cover the last unified output mode.

Thus i might re-submit a more rescent patch that completly fix this
issue
for all unified output mode.

As preventing that issue [unified log writing race condition] you
can turn down the interface on wich snort is listening [ifconfig
<inameN> down], 
resulting in pcap_loop() or pcap_dispatch() call to fail thus ensuring
that snort is currently
now writing to the unified file.

I shall send the new patch today for snort 2.6.1N serie to snort-devel
list.

I hope it might help.

-elz

 

> -----Original Message-----
> From: snort-devel-bounces@lists.sourceforge.net 
> [mailto:snort-devel-bounces@lists.sourceforge.net] On Behalf 
> Of Bamm Visscher
> Sent: Wednesday, January 17, 2007 11:18 AM
> To: sguil-users@lists.sourceforge.net
> Cc: Snort; snort-devel@lists.sourceforge.net
> Subject: Re: [Snort-devel] [Sguil-users] Barnyard problem
> 
> AFAIK, that is a bug in Snort's unified output plugin. For 
> all practical purposes, the file 
> /nsm/snortsrv//snort.log.1167545618 is corrupt. To recover, 
> stop snort and barnyard. Then remove (or move) all the 
> snort.log.####### files in /nsm/snortsrv (not the ones in 
> /nsm/snortsrv/dailylogs/). Finally, remove your waldo.file 
> and restart snort and barnyard.
> 
> The downside is any alert that happened after the file became 
> corrupted is gone. I don't know of any fix, probably the best 
> thing you can do to limit the impact this can cause again is 
> to restart snort on a regular basis as snort will create a 
> new unified file each time.
> 
> Bammkkkk
> 
> 
> On 1/17/07, Smith, Brad <brad.smith@saskeds.com> wrote:
> > A couple of weeks ago my barnyard portion of the sensor 
> just quit. Not exactly sure what happened but it won't start 
> up again. The main reason seems to be the invalid packet 
> length as indicated in the screen capture below. Is there a 
> way to edit this file and remove the offending line of data 
> or how can I recover from this. The sensor is running FreeBSD 6.1.
> >
> > Thanks,
> >
> > Brad
> >
> > ------------------------
> >
> > Barnyard Version 0.2.0 (Build 32)
> > Command line arguments:
> >   Config file:           /usr/local/etc/nsm/barnyard.conf
> >   Spool dir:             /nsm/snortsrv/
> >   Gen-msg file:          gen-msg.map
> >   Sid-msg file:          sid-msg.map
> >   Class file:            Not specified
> >   Log dir:               Not specified
> >   Archive dir:           Not specified
> >   File base:             snort.log
> >   Waldo file:            /nsm/snortsrv/waldo.file
> >   Pid file:              Not specified
> >   Verbosity level:       3
> >   Dry run flag:          Not Set
> >   Batch mode flag:       Not Set
> >   Daemon flag:           Not Set
> >   New records only flag: Not Set
> >   Usage flag:            Not Set
> >   Version flag:          Not Set
> > Config file variables:
> >   Hostname:        snortsrv
> >   Interface:       fxp1
> >   BPF Filter:
> >   Class file:      Not specified
> >   Sid-msg file:    Not specified
> >   Gen-msg file:    Not specified
> >   Daemon flag:     Not Set
> >   Localtime flag:  Not Set
> > Starting data processing using information from bookmark 
> file Program 
> > Variables:
> >   Continual processing mode
> >   Config dir:    /usr/local/etc/nsm
> >   Config file:   /usr/local/etc/nsm/barnyard.conf
> >   Sid-msg file:  /usr/local/etc/nsm/sid-msg.map
> >   Gen-msg file:  /usr/local/etc/nsm/gen-msg.map
> >   Class file:    /usr/local/etc/nsm/classification.config
> >   Hostname:      snortsrv
> >   Interface:     fxp1
> >   BPF Filter:
> >   Log dir:       /var/log/snort
> >   Verbosity:     3
> >   Localtime:     0
> >   Spool dir:     /nsm/snortsrv/
> >   Spool file:    snort.log
> >   Bookmark file: /nsm/snortsrv/waldo.file
> >   Record Number: 838345
> >   Timet:         1167545618
> >   Start at end:  0
> > Opened spool file '/nsm/snortsrv//snort.log.1167545618'
> > OpSguil configured
> > Connected to localhost on 7735.
> > Waiting for sid and cid from sensor_agent.
> > Sent: SidCidRequest snortsrv
> > Received: SidCidResponse 1 10202700
> > Sensor ID: 1
> > Last cid: 10202700
> > Sensor Name: snortsrv
> > Agent Port: 7735
> > ERROR: Invalid packet length: 976577328 Read error Fatal Error, 
> > Quitting..
> > Exiting
> >
> >
> > 
> ----------------------------------------------------------------------
> > --- Take Surveys. Earn Cash. Influence the Future of IT Join 
> > SourceForge.net's Techsay panel and you'll get the chance to share 
> > your opinions on IT & business topics through brief surveys 
> - and earn 
> > cash 
> > 
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEV
> > DEV _______________________________________________
> > Sguil-users mailing list
> > Sguil-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/sguil-users
> >
> 
> 
> --
> sguil - The Analyst Console for NSM
> http://sguil.sf.net
> 
> --------------------------------------------------------------
> -----------
> Take Surveys. Earn Cash. Influence the Future of IT Join 
> SourceForge.net's Techsay panel and you'll get the chance to 
> share your opinions on IT & business topics through brief 
> surveys - and earn cash 
> http://www.techsay.com/default.php?page=join.php&p=sourceforge
> &CID=DEVDEV
> _______________________________________________
> Snort-devel mailing list
> Snort-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>

AVERTISSEMENT CONCERNANT LA CONFIDENTIALITE 

Le present message est a l'usage exclusif du ou des destinataires mentionnes 
ci-dessus. Son contenu est confidentiel et peut etre assujetti au secret 
professionnel. Si vous avez recu le present message par erreur, veuillez nous 
en aviser immediatement et le detruire en vous abstenant d'en faire une copie, 
d'en divulguer le contenu ou d'y donner suite.

CONFIDENTIALITY NOTICE

This communication is intended for the exclusive use of the addressee 
identified above. Its content is confidential and may contain privileged 
information. If you have received this communication by error, please notify 
the sender and delete the message without copying or disclosing it.

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users