[Oisf-users] Odd Suricata and Barnyard2 problem

[Peter Bates]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 23/11/2011 17:03, Eric Leblond wrote:
> As found out by Victor Julien (on a discussion channel) this is
> linked with a change made in suricata 1.1. It now logs forged
> packets constructed from application level data. These packet were
> of type RAW, which is confusing barnyard2.

Thanks for the patch - which I've applied.

It now no longer creates multiple growing tcpdump files, but instead
doesn't log at all:

# ls -l /var/log/suricata/
total 296
- -rw-r--r--. 1 suricata suricata      0 Nov 24 12:38 drop.log
- -rw-r--r--. 1 root     root     236639 Nov 24 12:48 stats.log
- -rw-------. 1 root     root          0 Nov 24 12:39 tcpdump.log.1322138371
- -rw-r--r--. 1 suricata suricata  44273 Nov 24 12:48
unified2.alert.1322138305

Barnyard2 (with -v) throws no errors - but the unified2 file grows
with nothing being logged to syslog, DB or the newly opened tcpdump file.

I guess there is something rather broken with my monitoring
infrastructure but Snort 2.9.1.2/Barnyard2 seems to work okay on the
same box (but is heavily loaded, lacking the multiple CPU/core support
of Suricata).

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division	    Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJOzkANAAoJELhVoVpEMS6RaqwH/2qFfkAm0Ho3xoBuxC4zBZtZ
GvfZlP0mEmvevAhUrp+L9rlQWy3Mhj1PsaEwlByX3u+/O0voUczA0/kXnPuipcvG
/rhm4tRyh0dLsIzyTNWVjtVCrIw26wGNyCfYBa7QcYdFC4U/IS+MkSXQ4cAjTZRG
dPLeSGJ/pPv80ipxbMqGGcPNQx016eylsVl3GzNEVsHrN6Rkth9D4KjmOteZOhCz
nfywnDZDZMgEVuSLxeI+/zUQRn5iP1xA8OKJnduNMtP7VzgHog+xrdnH89oePh02
eIrpirHaC4/lNz9PzRwbEvdSE+GloslSl6VGwmTbV0rL7iX5BxKxEgzzxqmD7jY=
=p+Iy
-----END PGP SIGNATURE-----