[Oisf-users] Odd Suricata and Barnyard2 problem
Eric Leblond
eric at regit.org
Thu Nov 24 13:19:18 UTC 2011
Hi,
Le jeudi 24 novembre 2011 à 13:01 +0000, Peter Bates a écrit :
> Hello all
>
> On 23/11/2011 17:03, Eric Leblond wrote:
> > As found out by Victor Julien (on a discussion channel) this is
> > linked with a change made in suricata 1.1. It now logs forged
> > packets constructed from application level data. These packet were
> > of type RAW, which is confusing barnyard2.
>
> Thanks for the patch - which I've applied.
>
> It now no longer creates multiple growing tcpdump files, but instead
> doesn't log at all:
>
> # ls -l /var/log/suricata/
> total 296
> -rw-r--r--. 1 suricata suricata 0 Nov 24 12:38 drop.log
> -rw-r--r--. 1 root root 236639 Nov 24 12:48 stats.log
> -rw-------. 1 root root 0 Nov 24 12:39 tcpdump.log.1322138371
> -rw-r--r--. 1 suricata suricata 44273 Nov 24 12:48
> unified2.alert.1322138305
>
> Barnyard2 (with -v) throws no errors - but the unified2 file grows
> with nothing being logged to syslog, DB or the newly opened tcpdump file.
>
> I guess there is something rather broken with my monitoring
> infrastructure but Snort 2.9.1.2/Barnyard2 seems to work okay on the
> same box (but is heavily loaded, lacking the multiple CPU/core support
> of Suricata).
I give more testing to the patch and try to reproduce this behaviour.
I will send you an update ASAP.
BR,
--
Eric
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20111124/79196fb2/attachment.sig>
More information about the Oisf-users
mailing list