[Oisf-users] Odd Suricata and Barnyard2 problem

Eric Leblond eric at regit.org
Wed Nov 23 17:03:07 UTC 2011


Le mercredi 23 novembre 2011 à 15:38 +0000, Peter Bates a écrit :
> Hello again all
> On 23/11/2011 14:35, Peter Bates wrote:
> > Has anyone seen this behaviour before and can suggest a fix?
> Apologies for replying to my own post.
> Cross-checking on the same box - Snort does not exhibit this
> behaviour.
> Does Suricata possibly write an inconsistent unified2 log under load?

No. At least, this behaviour is not known.

> I'm struggling to see why the two applications both produce unified2
> files - but barnyard2 generates one tcpdump file for Snort and a
> constantly growing number from Suricata.

As found out by Victor Julien (on a discussion channel) this is linked
with a change made in suricata 1.1. It now logs forged packets
constructed from application level data. These packet were of type RAW,
which is confusing barnyard2.

I send a corrective patch in follow-up of this mail. It will now
generate ethernet packet if the original packet is of ethernet type.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20111123/3f610ea9/attachment.sig>

More information about the Oisf-users mailing list