[Oisf-users] Odd Suricata and Barnyard2 problem
Eric Leblond
eric at regit.org
Thu Nov 24 15:40:31 UTC 2011
Hello,
Le jeudi 24 novembre 2011 à 14:19 +0100, Eric Leblond a écrit :
> Hi,
>
> Le jeudi 24 novembre 2011 à 13:01 +0000, Peter Bates a écrit :
> > Hello all
> >
> > On 23/11/2011 17:03, Eric Leblond wrote:
> > > As found out by Victor Julien (on a discussion channel) this is
> > > linked with a change made in suricata 1.1. It now logs forged
> > > packets constructed from application level data. These packet were
> > > of type RAW, which is confusing barnyard2.
> >
> > Thanks for the patch - which I've applied.
> >
> > It now no longer creates multiple growing tcpdump files, but instead
> > doesn't log at all:
> >
> > # ls -l /var/log/suricata/
> > total 296
> > -rw-r--r--. 1 suricata suricata 0 Nov 24 12:38 drop.log
> > -rw-r--r--. 1 root root 236639 Nov 24 12:48 stats.log
> > -rw-------. 1 root root 0 Nov 24 12:39 tcpdump.log.1322138371
> > -rw-r--r--. 1 suricata suricata 44273 Nov 24 12:48
> > unified2.alert.1322138305
> >
> > Barnyard2 (with -v) throws no errors - but the unified2 file grows
> > with nothing being logged to syslog, DB or the newly opened tcpdump file.
> >
> > I guess there is something rather broken with my monitoring
> > infrastructure but Snort 2.9.1.2/Barnyard2 seems to work okay on the
> > same box (but is heavily loaded, lacking the multiple CPU/core support
> > of Suricata).
>
> I give more testing to the patch and try to reproduce this behaviour.
>
> I will send you an update ASAP.
I've been able to reproduce your problem and I've also fixed some other
issues (not related to the one you had but with same effect of creating
multiple pcap).
Can you try the incremental patch that will follow this mail ?
BR,
--
Eric
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20111124/cbb61b01/attachment.sig>
More information about the Oisf-users
mailing list