pfSense Gold Subscription

Author Topic: Snort barnyard2 crashes when attempting to enable sending alerts to bro  (Read 679 times)

0 Members and 1 Guest are viewing this topic.

Offline fearnothing

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +1/-0
    • View Profile
Hi, I've just started trying to send snort alerts to a Bro receiver on Security Onion. When I did so, I received this message:     

barnyard2[12780]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_60190_em1/barnyard2.conf(39) Unknown output plugin: "alert_bro"

The only result I get searching for this is 3 years old and implies that an update should have fixed it.

Snort and pfsense are on the latest versions.

Also if you try to enable syslog output to a SecurityOnion syslog-ng receiver, the parser does not interpret the message correctly. This seems to be because the parser expects data preceding the first ':' char to be the PRI/header values. Snort syslog output from pfsense does not include any PRI/header information - it seems to send only the message. Is there any way of getting it to include a header?
« Last Edit: April 16, 2015, 09:51:52 am by dvserg »

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3159
  • Karma: +818/-0
    • View Profile
I will take a look at this problem.  I did not have a Bro setup to test with when I added that option.

Bill

Offline fearnothing

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +1/-0
    • View Profile
Don't dig too deep just yet - I made an assumption that since I'd configured SO as a server, Bro would have been set up as a manager - not only was it not set up as such, it didn't seem to be running at all. I'm now scratching my head over how to get it working so I'll get back to you once I have something definitive on this front.

My apologies for having cried wolf :P

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3159
  • Karma: +818/-0
    • View Profile
OK.  Will hold off until you post back.

Bill

Offline fgro

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Snort barnyard2 crashes when attempting to enable sending alerts to bro
« Reply #4 on: November 29, 2017, 07:24:47 am »
still open ... and keeps crashing.

Either remove bro-ids from options of barnyard2 or try to fix it. Last would more the sufficient way.

Thanks