search

firnsy / barnyard2

Barnyard2 is a dedicated spooler for Snort's unified2 binary output format.
GNU General Public License v2.0
344 stars 189 forks source link

Error: There's no second layer header available for this datalink. #249

Open 9thplayer opened 4 years ago

9thplayer commented 4 years ago

Hey Guys,

I am using barnyard2 on suricata over pfsense firewall. I have enabled barnyard2 to send logs to syslog which is my ELK. Everything works fine but barnyard2 gets stopped after some time and when i open log file it says below error:

============================================

Aug 9 05:28:34 barnyard2 31524 --== Initialization Complete ==--
Aug 9 05:28:34 barnyard2 31524 Barnyard2 initialization completed successfully (pid=31524)
Aug 9 05:28:34 barnyard2 31524 Using waldo file '/var/log/suricata/suricata_bge140240/barnyard2/40240_bge1.waldo': spool directory = /var/log/suricata/suricata_bge140240 spool filebase = unified2.alert time_stamp = 1565240661 record_idx = 52633
Aug 9 05:28:34 barnyard2 31524 Opened spool file '/var/log/suricata/suricata_bge140240/unified2.alert.1565307024'
**Aug 9 05:28:34 barnyard2 31524 There's no second layer header available for this datalink
Aug 9 05:28:34 barnyard2 31524 Closing spool file '/var/log/suricata/suricata_bge140240/unified2.alert.1565307024'. Read 1406 records**

============================================

So work aroung is I delete below file everytime and restart the suricata and barnyard2 starts fine. /var/log/suricata/suricata_bge140240/unified2.alert.1565307024 And that's frustrating. I am not a developer but i tried to find out my way as I was not getting anything on internet so i pulled source code and looked through all the way to this :

case 228: /Defined in some bpf implementation as DLT_IPV4: / case 229: / Defined in some bpf implementation as DLT_IPV6 /

    if (BcOutputDataLink())
    {
        LogMessage("There's no second layer header available for "
             "this datalink\n");

        barnyard2_conf->output_flags &= ~OUTPUT_FLAG__SHOW_DATA_LINK;
    }
    DecodeRawPkt(p, pkthdr, pkt);
    break;

    /*
     * you need the I4L modified version of libpcap to get this stuff
     * working
     */

================================== Do i need libpcap new version or something or i can simply disable something in suricata or barnyard2 to get this working properly.

Please help me guys.

kraigu commented 4 years ago

Much as I hate to send people elsewhere, this project has been pretty quiet for quite a while now. Since you're doing Suricata -> ELK, you might consider filebeat instead, the non-free-licensed version has a Suricata module.