[Oisf-users] Odd Suricata and Barnyard2 problem
Eric Leblond
eric at regit.org
Wed Nov 23 17:03:07 UTC 2011
Hello,
Le mercredi 23 novembre 2011 à 15:38 +0000, Peter Bates a écrit :
> Hello again all
>
> On 23/11/2011 14:35, Peter Bates wrote:
> > Has anyone seen this behaviour before and can suggest a fix?
>
> Apologies for replying to my own post.
>
> Cross-checking on the same box - Snort 2.9.1.2 does not exhibit this
> behaviour.
>
> Does Suricata possibly write an inconsistent unified2 log under load?
No. At least, this behaviour is not known.
>
> I'm struggling to see why the two applications both produce unified2
> files - but barnyard2 generates one tcpdump file for Snort and a
> constantly growing number from Suricata.
As found out by Victor Julien (on a discussion channel) this is linked
with a change made in suricata 1.1. It now logs forged packets
constructed from application level data. These packet were of type RAW,
which is confusing barnyard2.
I send a corrective patch in follow-up of this mail. It will now
generate ethernet packet if the original packet is of ethernet type.
BR,
--
Eric
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20111123/3f610ea9/attachment.sig>
More information about the Oisf-users
mailing list