Re: [Snort-users] [Sguil-users] Barnyard stop suddenly

permalink · #1 (**permalink**) 10-10-2006

I've run into this only when the disk that snort was writing its unified
log to filled up. As best as I could tell the problem was due to snort
not discovering that a write failed, and not writing a full chunk to the
unified log file. Once the disk unfilled some snort would pick up where
it left off. The end result was a corrupt unified log file.

For me the best fix was to put the full packet capture logs on a disk
other than where snort was writing its unified alert log. However, I
also have a patch for snort (2.6) that causes it to exit when the writes
fail. This doesn't actually solve the problem (you still lose all data
after the disk filled up), but does make recovering a bit easier. Let
me know if you want it and I'll dig it out.

-devink
On Tue, Oct 10, 2006 at 09:12:00AM -0600, Bamm Visscher wrote:
> This is a snort unified output problem that creeps up every couple of
> months. I am not sure there has ever been a fix for it. What version
> of snort are you running?
>
> Bammkkkk
>
>
> On 10/10/06, Jes?s G?lvez <jesuxgalvez@yahoo.es> wrote:
> > Hi, I hace installed snort+sguil+barnyard. My problem is that when some time
> > pass (usually one day), barnyard is down, and I only got raise it erasing
> > waldo.file
> > and restarting the service barnyard.
> >
> > If I try raise the service without erase waldo.dile the syslog give me the
> > next error:
> >
> > ERROR: Invalid packet length: 171390775
> > Oct 9 11:42:54 localhost barnyard[19280]: FATAL ERROR: Read error
> > Oct 9 11:42:54 localhost barnyard[19280]: Exiting
> >
> >
> > I don?t know where can be the problem.
> >
> >
> > ________________________________
> >
> > LLama Gratis a cualquier PC del Mundo.
> > Llamadas a fijos y m?viles desde 1 c?ntimo por minuto.
> > http://es.voice.yahoo.com
> >
> >
> > -------------------------------------------------------------------------
> > Take Surveys. Earn Cash. Influence the Future of IT
> > Join SourceForge.net's Techsay panel and you'll get the chance to share your
> > opinions on IT & business topics through brief surveys -- and earn cash
> > http://www.techsay.com/default.php?p...rge&CID=DEVDEV
> >
> > _______________________________________________
> > Sguil-users mailing list
> > Sguil-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/...fo/sguil-users
> >
> >
> >
>
>
> --
> sguil - The Analyst Console for NSM
> http://sguil.sf.net
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys -- and earn cash
> http://www.techsay.com/default.php?p...rge&CID=DEVDEV
> _______________________________________________
> Sguil-users mailing list
> Sguil-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/...fo/sguil-users
>

--
Devin Kowatch
System Administrator
Sony Computer Entertainment America
dkowatch@scea.com

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?p...rge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode