Barnyard2 spooler: Event cache size set to [2048]
Log directory = /nsm/sensor_data/snortidssen-eth1
INFO => Alert_FWsam Using sid-map file: /etc/nsm/snortidssen-eth1/sid-block.map
INFO => Alert_FWsam Connected to host .
INFO => Alert_FWsam Connected to host .
sguil: sensor name = snortidssen-eth1-8
sguil: agent port = 8108
sguil: Connected to localhost on 8108.
--== Initialization Complete ==--
__ -> Barnyard2 <-
/ ,,_ \ Version 2.1.14 (Build 336) TCL
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
'''' + (C) Copyright 2008-2013 Ian Firns firnsy@securixlive.com
Snort:
Version 2.9.7.5 GRE (Build 262)
output unified2: filename snort.unified2, limit 128
If I delete /nsm/sensor_data/snortidssen-eth1/snort-8/snort.unified2.1460235701, Barnyard2 will run for a while and then segfault after one or a few fwsam alerts.
barnyard2.conf: auto-generated by NSMnow Administration on Thu Apr 7 12:20:48 UTC 2016
config logdir: /nsm/sensor_data/snortidssen-eth1 config classification_file: /etc/nsm/snortidssen-eth1/classification.config config reference_file: /etc/nsm/snortidssen-eth1/reference.config config sid_file: /etc/nsm/snortidssen-eth1/sid-msg.map config gen_file: /etc/nsm/snortidssen-eth1/gen-msg.map config hostname: snortidssen-eth1 config interface: eth1 config process_new_records_only input unified2 output sguil: sensor_name=snortidssen-eth1-8 agent_port=8108
output database: alert, mysql, user=root dbname=snorby host=127.0.0.1 disable_signature_reference_table
output alert_syslog: LOG_LOCAL6 LOG_ALERT output alert_fwsam: 127.0.0.1:8982/xxxxx 127.0.0.1:8983/xxxxx
read(5, "\0\0\0\0\0\0\0\271W\t\202-\0\rd{\0&%\300\0\0\0\1\0\0\17\0\0\0\17"..., 52) = 52 read(5, "\0\0\0\2\0\0\0j", 8) = 8 read(5, "\0\0\0\0\0\0\0\271W\t\202-W\t\202-\0\rd{\0\0\0\1\0\0\0NTu\320\275"..., 106) = 106 open("/etc/localtime", O_RDONLY|O_CLOEXEC) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=245, ...}) = 0 fstat(6, {st_mode=S_IFREG|0644, st_size=245, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fdb16739000 read(6, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\3\0\0\0\0"..., 4096) = 245 lseek(6, -147, SEEK_CUR) = 98 read(6, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0"..., 4096) = 147 close(6) = 0 munmap(0x7fdb16739000, 4096) = 0 socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 6 connect(6, {sa_family=AF_FILE, path="/dev/log"}, 110) = 0 sendto(6, "<177>Apr 10 13:14:08 snort: ET C"..., 97, MSG_NOSIGNAL, NULL, 0) = 97 brk(0x22f6000) = 0x22f6000 sendto(3, "RTEVENT 0 10 7271 snortidssen-et"..., 286, 0, NULL, 0) = 286 select(4, [3], NULL, NULL, {15, 0}) = 1 (in [3], left {14, 998731}) recvfrom(3, "Confirm 7271\n", 2048, 0, NULL, NULL) = 13 --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV (core dumped) +++ Segmentation fault (core dumped)
Log file:
Barnyard2 spooler: Event cache size set to [2048] Log directory = /nsm/sensor_data/snortidssen-eth1 INFO => Alert_FWsam Using sid-map file: /etc/nsm/snortidssen-eth1/sid-block.map INFO => Alert_FWsam Connected to host . INFO => Alert_FWsam Connected to host . sguil: sensor name = snortidssen-eth1-8 sguil: agent port = 8108 sguil: Connected to localhost on 8108.
__ -> Barnyard2 <- / ,,_ \ Version 2.1.14 (Build 336) TCL |o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
Using waldo file '/etc/nsm/snortidssen-eth1/barnyard2.waldo-8': spool directory = /nsm/sensor_data/snortidssen-eth1/snort-8 spool filebase = snort.unified2 time_stamp = 1460235701 record_idx = 369 Opened spool file '/nsm/sensor_data/snortidssen-eth1/snort-8/snort.unified2.1460235701' Segmentation fault (core dumped)
Snort: Version 2.9.7.5 GRE (Build 262) output unified2: filename snort.unified2, limit 128
If I delete /nsm/sensor_data/snortidssen-eth1/snort-8/snort.unified2.1460235701, Barnyard2 will run for a while and then segfault after one or a few fwsam alerts.
Thanks,