Re: [Snort-users] Barnyard 'Invalid packet length' error
This is a discussion on Re: [Snort-users] Barnyard 'Invalid packet length' error within the Snort forums, part of the System Security and Security Related category; What platform is this on? x86? You probably don't need the -X switch in there since you're logging ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-03-2004
|
|||
|
|||
Re: [Snort-users] Barnyard 'Invalid packet length' error
What platform is this on? x86?
You probably don't need the -X switch in there since you're logging in=20= binary (unified) mode. I looked at the hexdump you listed there, it looks like the size is=20 correct in the SnortPktHeader so something else is wrong. Any chance=20 you can send a sample unified file along for me to take a look at? -Marty On Jul 26, 2004, at 3:54 PM, Wolf, Brian wrote: > I'm trying to get barnyard working with snort, but it always fails=20 > with an "Invalid packet length" error.=A0 My setup is: > > =A0=A0=A0=A0=A0=A0=A0 RedHat Enterprise AS 3 > =A0=A0=A0=A0=A0=A0=A0 snort 2.1.2 > =A0=A0=A0=A0=A0=A0=A0 barnyard 0.2.0 > =A0=A0=A0=A0=A0=A0=A0 mysql 12.22 Distrib 4.0.18 > > > > Snort, barnyard, and mysql were all built from source and are running=20= > on the same machine.=A0 Snort can successfully log directly to mySql = if=20 > I use the "output database" option. > > > > > Snort output config: > > output alert_unified: filename snort.binalert, limit 128 > output log_unified: filename snort.binlog, limit 128 > > > > > Snort command line: > > /usr/local/snort/bin/snort -i eth0 -D -X -o -c=20 > /usr/local/snort/snort.conf -l /usr/local/snort/log > > > > > Barnyard config: > > config hostname: localhost > config interface: lo > config filter: not port 22 > output log_acid_db: mysql, database snort, server localhost, user=20 > snort, password <passwd>, detail full > > > > Barnyard command line: > > /usr/local/snort/bin/barnyard -c /usr/local/snort/barnyard.conf \ > =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A 0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0 -d /usr/local/snort/log \ > =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A 0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0 -w /usr/local/snort/bin/waldo.chk \ > =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A 0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0 -f snort.binlog \ > =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A 0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0 -g /usr/local/snort/rules/gen-msg.map \ > =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A 0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0 -s /usr/local/snort/rules/sid-msg.map > > > > Run results: > > /usr/local/snort/bin/barnyard -c /usr/local/snort/barnyard.conf -d=20 > /usr/local/snort/log -w /usr/local/snort/bin/waldo.chk -f snort.binlog=20= > \ > > =A0=A0=A0=A0 -g /usr/local/snort/rules/gen-msg.map -s=20 > /usr/local/snort/rules/sid-msg.map > Barnyard Version 0.2.0 (Build 32) > Opened spool file '/usr/local/snort/log/snort.binlog.1090597145' > ERROR: Invalid packet length: 299008 > Read error > Fatal Error, Quitting.. > Exiting > [ > > > > The number listed as the invalid packet length changes from run to=20 > run, suggesting that either Snort isn't writing the packet size or=20 > that Barnyard isn't looking for it in the right location. > > Here is the beginning of the log file listed in the above run,=20 > although the problem occurs with any log file > > =A0=A0=A0=A0=A0=A0=A0 od -x=A0 = /usr/local/snort/log/snort.binlog.1090597145 > > 0000000 1080 dead 0001 0002 b9b0 ffff 0000 0000 > 0000020 05ea 0000 0001 0000 0001 0000 01d2 0000 > 0000040 0001 0000 0004 0000 0002 0000 0005 0000 > 0000060 0005 0000 3134 4101 3a4a 000e 0000 8000 > 0000100 3134 4101 3a4a 000e 004a 0000 004a 0000 > 0000120 0400 59dc 08da 0600 5cd7 c5e9 0008 0045 > 0000140 3c00 da8f 0000 0120 2fc1 c7a5 92fa c7a5 > 0000160 9603 0008 5d07 0003 0145 4241 4443 4645 > 0000200 4847 4a49 4c4b 4e4d 504f 5251 5453 5655 > 0000220 4157 4342 4544 4746 4948 0001 0000 01d2 > 0000240 0000 0001 0000 0104 0000 1200 0004 0600 > 0000260 0000 1b00 0000 0200 0000 2f00 0000 2f00 > 0000300 0000 4f00 0131 1d41 031d 9000 0004 4f80 > 0000320 0131 1d41 031d ee00 0000 ee00 0000 0000 > 0000340 c708 0afa 009e b302 e75f 083e 4500 0000 > 0000360 abe0 0094 3b00 8006 42a5 62a9 a51d 08c7 > 0000400 0d51 0021 a650 ae84 d90b cbdb 5087 ff18 > 0000420 daff 00ac 5000 4f52 4650 4e49 2044 732f > 0000440 6863 6f6f 736c 4820 5454 2f50 2e31 0d31 > 0000460 440a 7065 6874 203a 0d30 740a 6172 736e > 0000500 616c 6574 203a 0d66 550a 6573 2d72 6741 > 0000520 6e65 3a74 4d20 6369 6f72 6f73 7466 572d > > > > > > Any suggestions? > > > > - Brian > --=20 Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Intelligent Security Monitoring roesch@sourcefire.com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
