[Oisf-users] Odd Suricata and Barnyard2 problem
Peter Bates
peter.bates at ucl.ac.uk
Wed Nov 23 14:35:05 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello all
Apologies to those who might have seen this on snort-users - I thought
initially it might be just a Barnyard2 problem.
I'm running Suricata 1.1 on Linux, 8 CPU cores and AF_PACKET mode on a
single interface.
When running I get a lot of http/tls app layer errors - and
FLOW_EMERGENCY being set quite regularly.
Suricata seems to be happily writing to a unified2 file - but when I
process it with Barnyard2 I get an odd result.
My Barnyard2 config reads from the unified2 - and writes to syslog/DB
and tcpdump.log.
Recently the tcpdump.log files have been rotating at a ridiculous level:
- -rw-------. 1 root root 492 Nov 23 14:31 tcpdump.log.1322058709
- -rw-------. 1 root root 2136 Nov 23 14:31 tcpdump.log.1322058599
- -rw-------. 1 root root 798 Nov 23 14:29 tcpdump.log.1322058596
- -rw-------. 1 root root 809 Nov 23 14:29 tcpdump.log.1322058542
- -rw-------. 1 root root 799 Nov 23 14:28 tcpdump.log.1322058525
When I use file to query the files:
# file tcpdump.log.1322058709
tcpdump.log.1322058709: tcpdump capture file (little-endian) - version
2.4 (raw IP, capture length 1514)
# file tcpdump.log.1322058599
tcpdump.log.1322058599: tcpdump capture file (little-endian) - version
2.4 (Ethernet, capture length 1514)
- - they seem to be alternating between 'raw IP' and the usual
'Ethernet' capture type.
Has anyone seen this behaviour before and can suggest a fix?
Thanks.
- --
Peter Bates
Senior Computer Security Officer Phone: +44(0)2076792049
Information Services Division Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJOzQSZAAoJELhVoVpEMS6RQ3gH/RssOHhw1+wbrvP7ZbZ2tcca
e5CfIx0fuc1dQTvbgZfZ8dPOEmBf9pzGLvjgGqFGMA8G0dwUvvF6CvcCHuoTcCyi
U4yg4BOA9nUExoX9eRGEEQSLAwKafWFwuOsEeg7WMv14/qq8OQbqAkDvz+C9IULd
cuKdHRwdbsu5pJbmXIxHR3p50ZrdhwJI1M1AixmAUZX4C4RcMXPZseddsHBq2fMV
a9qW9bk6uvtZOuPmfB9TO6sNNyha9zEWxl+q+8+3I/Y69Qb3qKQXjGJsfkYhCzyi
bAbJyhZB+YehRhg7bhP+Au/omz66RSELb7yAPuFjS6GjeCvr1qWNSM6YvS9Wjxg=
=wkz0
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list