Re: [Snort-users] [Sguil-users] Barnyard problem

["Smith, Brad" <brad.smith@saskeds.com>]

Yes, as your indicated, that was the problem. Seemed a bit drastic but it 
worked. Everything is back up and running again. Next time I won't try to solve 
the problem on my own for days before taking action. :-)
 
Brad

________________________________

From: sguil-users-bounces@lists.sourceforge.net on behalf of Bamm Visscher
Sent: Wed 1/17/2007 10:18 AM
To: sguil-users@lists.sourceforge.net
Cc: Snort; snort-devel@lists.sourceforge.net
Subject: Re: [Sguil-users] Barnyard problem



AFAIK, that is a bug in Snort's unified output plugin. For all
practical purposes, the file /nsm/snortsrv//snort.log.1167545618 is
corrupt. To recover, stop snort and barnyard. Then remove (or move)
all the snort.log.####### files in /nsm/snortsrv (not the ones in
/nsm/snortsrv/dailylogs/). Finally, remove your waldo.file and restart
snort and barnyard.

The downside is any alert that happened after the file became
corrupted is gone. I don't know of any fix, probably the best thing
you can do to limit the impact this can cause again is to restart
snort on a regular basis as snort will create a new unified file each
time.

Bammkkkk


On 1/17/07, Smith, Brad <brad.smith@saskeds.com> wrote:
> A couple of weeks ago my barnyard portion of the sensor just quit. Not 
> exactly sure what happened but it won't start up again. The main reason seems 
> to be the invalid packet length as indicated in the screen capture below. Is 
> there a way to edit this file and remove the offending line of data or how 
> can I recover from this. The sensor is running FreeBSD 6.1.
>
> Thanks,
>
> Brad
>
> ------------------------
>
> Barnyard Version 0.2.0 (Build 32)
> Command line arguments:
>   Config file:           /usr/local/etc/nsm/barnyard.conf
>   Spool dir:             /nsm/snortsrv/
>   Gen-msg file:          gen-msg.map
>   Sid-msg file:          sid-msg.map
>   Class file:            Not specified
>   Log dir:               Not specified
>   Archive dir:           Not specified
>   File base:             snort.log
>   Waldo file:            /nsm/snortsrv/waldo.file
>   Pid file:              Not specified
>   Verbosity level:       3
>   Dry run flag:          Not Set
>   Batch mode flag:       Not Set
>   Daemon flag:           Not Set
>   New records only flag: Not Set
>   Usage flag:            Not Set
>   Version flag:          Not Set
> Config file variables:
>   Hostname:        snortsrv
>   Interface:       fxp1
>   BPF Filter:
>   Class file:      Not specified
>   Sid-msg file:    Not specified
>   Gen-msg file:    Not specified
>   Daemon flag:     Not Set
>   Localtime flag:  Not Set
> Starting data processing using information from bookmark file
> Program Variables:
>   Continual processing mode
>   Config dir:    /usr/local/etc/nsm
>   Config file:   /usr/local/etc/nsm/barnyard.conf
>   Sid-msg file:  /usr/local/etc/nsm/sid-msg.map
>   Gen-msg file:  /usr/local/etc/nsm/gen-msg.map
>   Class file:    /usr/local/etc/nsm/classification.config
>   Hostname:      snortsrv
>   Interface:     fxp1
>   BPF Filter:
>   Log dir:       /var/log/snort
>   Verbosity:     3
>   Localtime:     0
>   Spool dir:     /nsm/snortsrv/
>   Spool file:    snort.log
>   Bookmark file: /nsm/snortsrv/waldo.file
>   Record Number: 838345
>   Timet:         1167545618
>   Start at end:  0
> Opened spool file '/nsm/snortsrv//snort.log.1167545618'
> OpSguil configured
> Connected to localhost on 7735.
> Waiting for sid and cid from sensor_agent.
> Sent: SidCidRequest snortsrv
> Received: SidCidResponse 1 10202700
> Sensor ID: 1
> Last cid: 10202700
> Sensor Name: snortsrv
> Agent Port: 7735
> ERROR: Invalid packet length: 976577328
> Read error
> Fatal Error, Quitting..
> Exiting
>
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Sguil-users mailing list
> Sguil-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sguil-users
>


--
sguil - The Analyst Console for NSM
http://sguil.sf.net

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Sguil-users mailing list
Sguil-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sguil-users



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users