Hello. When I am running snort and barnyard to log alerts from pcap files that I pour into snort with trcpreplay into a dummy interface, I get a huge lot of these "WARNING database [Database()]:", among normal alerts, like flood of thousands.
There are some issues found about this via google but no solution so far for this. At one place it was suggested to configure output: alert in barnyard2.conf instead of output: log but this didn't change the outcome at all either. What is the problem here, what is not outputted and why and how do I make sure barnyard2 doesn't miss alerts generated by snort?
Snort sends the alerts via unified2 filename in config:
barnyard2 output:
...
WARNING database [Database()]: Called with Event[0x0] Event Type 0acket [0xc7631b8], information has not been outputed.
WARNING database [Database()]: Called with Event[0x0] Event Type 0acket [0xc7631b8], information has not been outputed.
WARNING database [Database()]: Called with Event[0x0] Event Type 0acket [0xc7631b8], information has not been outputed.
WARNING database [Database()]: Called with Event[0x0] Event Type 0acket [0xc7631b8], information has not been outputed.
...repeating over and over again
Hello. When I am running snort and barnyard to log alerts from pcap files that I pour into snort with trcpreplay into a dummy interface, I get a huge lot of these "WARNING database [Database()]:", among normal alerts, like flood of thousands.
There are some issues found about this via google but no solution so far for this. At one place it was suggested to configure output: alert in barnyard2.conf instead of output: log but this didn't change the outcome at all either. What is the problem here, what is not outputted and why and how do I make sure barnyard2 doesn't miss alerts generated by snort?
Snort sends the alerts via unified2 filename in config:
output unified2: filename snort.u2
Barnyard2 conf without comments:
config reference_file: /etc/snort/reference.config config classification_file: /etc/snort/classification.config config gen_file: /etc/snort/gen-msg.map config sid_file: /etc/snort/sid-msg.map config event_cache_size: 524288000 config logdir: /var/log/barnyard2/ config hostname: sensor config interface: dummy0 config alert_with_interface_name config dump_payload_verbose config umask: 066 input unified2 output alert_fast: stdout output database: alert, mysql, user=* password=* dbname=snorby host=dbhost
root@snort:~# /usr/local/bin/barnyard2 -c /etc/barnyard2.conf -d /var/log/snort/dummy0 -f snort.u2 -l /var/log/barnyard2 -w /var/log/barnyard2/barnyard2-dummy0.waldo --create-pidfile --pid-path=/var/run/barnyard2
barnyard2 output: ... WARNING database [Database()]: Called with Event[0x0] Event Type 0acket [0xc7631b8], information has not been outputed. WARNING database [Database()]: Called with Event[0x0] Event Type 0acket [0xc7631b8], information has not been outputed. WARNING database [Database()]: Called with Event[0x0] Event Type 0acket [0xc7631b8], information has not been outputed. WARNING database [Database()]: Called with Event[0x0] Event Type 0acket [0xc7631b8], information has not been outputed. ...repeating over and over again