Barnyard2 and snort3 - unified2 errors

[troptop]

Hi,

I am trying to use Barnyard2 to insert in a database the information from the unified2 log file but I get the following error : WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x36996f0], information has not been outputed. WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x9a58830], information has not been outputed. WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x36996f0], information has not been outputed. WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x9a58830], information has not been outputed.

I tried with snort 2.x and it works perfectly. I upgrade the snort version to snort3 And now barnyard does not work.

I think there is an issue with snort++ and how the unified2 log file is written but I dont know how to get more information to debug my issue.

Moreover, I checked the unified2 output format between snort2 and snort3 and there is a difference :

SNORT 3 : (Event) Snort ID: 0 Event ID: 536 Seconds: 1501690577.646865 Policy ID: Context: 0 Inspect: 0 Detect: 0 Rule 1:1288:16 Class: 27 Priority: 2 MPLS Label: 0 VLAN ID: 0 IP Version: 0x44 IP Proto: 6 Src IP: 192.168.2.98 Port: 36708 Dst IP: 10.33.128.217 Port: 80 App Name: none Status: allow Action: pass

SNORT 2 : (Event) sensor id: 0 event id: 424 event second: 1501003311 event microsecond: 982977 sig id: 33 gen id: 119 revision: 1 classification: 2 priority: 3 ip source: 10.33.129.180 ip destination: 10.33.129.197 src port: 38931 dest port: 80 protocol: 6 impact_flag: 0 blocked: 0

As you can see the (Event) sections are different. Do you think, the issue come from the difference of output? Is there any way to fix that? Is someone already get this error?

THank you

[FreezeHat]

Oh. I have the same problem. My unified2 output is same too. I wanna know how to fix it