Netgate SG-1000 microFirewall

Author Topic: Snort > Barnyard2 >syslog fatal error  (Read 106 times)

0 Members and 1 Guest are viewing this topic.

Offline tbaror

  • Full Member
  • ***
  • Posts: 151
  • Karma: +1/-0
    • View Profile
Snort > Barnyard2 >syslog fatal error
« on: March 06, 2018, 03:42:21 am »

I have Snort package running for very long time, since the last update package to ver  I have a fatal error as shown below, I tried to delete/recreate  Snort interface, it works for few min/sec and then stops.
Any idea what causing the issue , please advice

-----event from log
Mar 6 10:50:05    barnyard2    57137    Barnyard2 exiting
Mar 6 10:50:05    barnyard2    57137    FATAL ERROR: [Syslog_FormatIPHeaderLog()], strlcpy() error , bailing
Mar 6 10:50:05    barnyard2    57137    OpSyslog_Log(): Is currently unable to handle Event Type [72]
Mar 6 10:50:05    barnyard2    57137    Opened spool file '/var/log/snort/snort_igb15944/snort_5944_igb1.u2.1519272335'
Mar 6 10:50:05    barnyard2    57137    Using waldo file '/var/log/snort/snort_igb15944/barnyard2/5944_igb1.waldo': spool directory = /var/log/snort/snort_igb15944 spool filebase = snort_5944_igb1.u2 time_stamp = 1519272335 record_idx = 21

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3350
  • Karma: +870/-0
    • View Profile
Re: Snort > Barnyard2 >syslog fatal error
« Reply #1 on: March 06, 2018, 07:35:51 pm »
The problem appears to be within Barnyard2.  Notice that is where the error is generated according to the log message.  Barnyard2 on FreeBSD (and thus on pfSense as well) is very old and not well supported.  It will be removed from the Suricata package in the near future, and I'm considering doing the same for Snort because Barnyard2 is so unreliable.

Your particular error message comes from Barnyard2 not being able to adequately handle IPv6 events.  Here is a thread link to an open bug report on Github for this issue.  Notice the date is 2015 and still no action, so that's what I mean by Barnyard2 being poorly supported.