[Oisf-users] Odd Suricata and Barnyard2 problem

Peter Bates peter.bates at ucl.ac.uk
Wed Nov 23 14:35:05 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

Apologies to those who might have seen this on snort-users - I thought
initially it might be just a Barnyard2 problem.

I'm running Suricata 1.1 on Linux, 8 CPU cores and AF_PACKET mode on a
single interface.

When running I get a lot of http/tls app layer errors - and
FLOW_EMERGENCY being set quite regularly.

Suricata seems to be happily writing to a unified2 file - but when I
process it with Barnyard2 I get an odd result.

My Barnyard2 config reads from the unified2 - and writes to syslog/DB
and tcpdump.log.

Recently the tcpdump.log files have been rotating at a ridiculous level:

- -rw-------. 1 root     root        492 Nov 23 14:31 tcpdump.log.1322058709
- -rw-------. 1 root     root       2136 Nov 23 14:31 tcpdump.log.1322058599
- -rw-------. 1 root     root        798 Nov 23 14:29 tcpdump.log.1322058596
- -rw-------. 1 root     root        809 Nov 23 14:29 tcpdump.log.1322058542
- -rw-------. 1 root     root        799 Nov 23 14:28 tcpdump.log.1322058525

When I use file to query the files:
# file tcpdump.log.1322058709
tcpdump.log.1322058709: tcpdump capture file (little-endian) - version
2.4 (raw IP, capture length 1514)
# file tcpdump.log.1322058599
tcpdump.log.1322058599: tcpdump capture file (little-endian) - version
2.4 (Ethernet, capture length 1514)

- - they seem to be alternating between 'raw IP' and the usual
'Ethernet' capture type.

Has anyone seen this behaviour before and can suggest a fix?

Thanks.

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division	    Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJOzQSZAAoJELhVoVpEMS6RQ3gH/RssOHhw1+wbrvP7ZbZ2tcca
e5CfIx0fuc1dQTvbgZfZ8dPOEmBf9pzGLvjgGqFGMA8G0dwUvvF6CvcCHuoTcCyi
U4yg4BOA9nUExoX9eRGEEQSLAwKafWFwuOsEeg7WMv14/qq8OQbqAkDvz+C9IULd
cuKdHRwdbsu5pJbmXIxHR3p50ZrdhwJI1M1AixmAUZX4C4RcMXPZseddsHBq2fMV
a9qW9bk6uvtZOuPmfB9TO6sNNyha9zEWxl+q+8+3I/Y69Qb3qKQXjGJsfkYhCzyi
bAbJyhZB+YehRhg7bhP+Au/omz66RSELb7yAPuFjS6GjeCvr1qWNSM6YvS9Wjxg=
=wkz0
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list