barnyard2 on solaris ?
45 views
Skip to first unread message
Luis
Feb 2, 2012, 12:47:42 PM2/2/12
to barnyard2-devel
hello:
trying to compile barnyard2 in solaris ... again... :)
was able to do it after making the following mod to plugbase.h..
(added a net/if.h before net/route.h)
# /usr/local/bin/diff -rupN plugbase.h plugbase.h.orig
--- plugbase.h 2012-01-26 16:05:45.000000000 -0500
+++ plugbase.h.orig 2011-12-07 14:02:30.000000000 -0500
@@ -47,7 +47,6 @@
#if !defined(__SOLARIS__) && !defined(__CYGWIN32__) && !
defined(__CYGWIN__) && \
!defined( __CYGWIN64__)
-#include <net/if.h>
#include <net/route.h>
#endif
but now I'm getting core dumps when I run it with a unified2 input
file..
turning the debugging on (and compiling with -debug), here's a run
with the output msql enabled...
--== Initialization Complete ==--
______ -*> Barnyard2 <*-
/ ,,_ \ Version 2.1.10-beta2 (Build 266) DEBUG
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
+ '''' + (C) Copyright 2008-2011 Ian Firns <fir...@securixlive.com>
Processing 1 files...
Opened spool file '/var/log/snort/merged.log'
spi_unified2.c:133: Header: Reading at byte position 0
spi_unified2.c:157: Header: Type=104 (60 bytes)
spi_unified2.c:175: Reading record type=104 (60 bytes)
spi_unified2.c:187: Record: Reading at byte position 8
spi_unified2.c:223: No debug available for record type: 104
spooler.c:789: Caching event...
spooler.c:805: Cached event: 1
spi_unified2.c:133: Header: Reading at byte position 68
spi_unified2.c:157: Header: Type=2 (178 bytes)
spi_unified2.c:175: Reading record type=2 (178 bytes)
spi_unified2.c:187: Record: Reading at byte position 76
spi_unified2.c:336: Type: Packet
------------------------------------------
spi_unified2.c:338: sensor_id = 0
spi_unified2.c:340: event_id = 1
spi_unified2.c:342: event_second = 1328041711
spi_unified2.c:344: linktype = 1
spi_unified2.c:346: packet_second = 1328041711
spi_unified2.c:348: packet_microsecond = 435772
spi_unified2.c:350: packet_length = 150
spi_unified2.c:355: packet = 03 ba 0e 7a
decode.c:113: Decoding linktype 1
decode.c:318: Packet!
decode.c:318: caplen: 150 pktlen: 150
decode.c:345: 0:D0:5:96:43:FC -> 0:3:BA:E:7A:94
decode.c:349: type:0x800 len:0x96
decode.c:359: IP datagram size calculated to be 136 bytes
decode.c:2661: Packet!
decode.c:2835: IP Checksum: OK
decode.c:2912: IP header length: 20
decode.c:3036: TCP th_off is 5, passed len is 116
Bus Error(coredump)
any pointers?
If I set the output to tcpdump, it processes the file... (it gives
some warnings about size mismatch though)
Is there a way I can verify that the unified2 file is 'correct'? I
did get some warnings like this:
(snort_decoder) WARNING: IP dgm len > captured len
when I created the unified2 file in snort..
Thanks,
Luis
trying to compile barnyard2 in solaris ... again... :)
was able to do it after making the following mod to plugbase.h..
(added a net/if.h before net/route.h)
# /usr/local/bin/diff -rupN plugbase.h plugbase.h.orig
--- plugbase.h 2012-01-26 16:05:45.000000000 -0500
+++ plugbase.h.orig 2011-12-07 14:02:30.000000000 -0500
@@ -47,7 +47,6 @@
#if !defined(__SOLARIS__) && !defined(__CYGWIN32__) && !
defined(__CYGWIN__) && \
!defined( __CYGWIN64__)
-#include <net/if.h>
#include <net/route.h>
#endif
but now I'm getting core dumps when I run it with a unified2 input
file..
turning the debugging on (and compiling with -debug), here's a run
with the output msql enabled...
--== Initialization Complete ==--
______ -*> Barnyard2 <*-
/ ,,_ \ Version 2.1.10-beta2 (Build 266) DEBUG
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
+ '''' + (C) Copyright 2008-2011 Ian Firns <fir...@securixlive.com>
Processing 1 files...
Opened spool file '/var/log/snort/merged.log'
spi_unified2.c:133: Header: Reading at byte position 0
spi_unified2.c:157: Header: Type=104 (60 bytes)
spi_unified2.c:175: Reading record type=104 (60 bytes)
spi_unified2.c:187: Record: Reading at byte position 8
spi_unified2.c:223: No debug available for record type: 104
spooler.c:789: Caching event...
spooler.c:805: Cached event: 1
spi_unified2.c:133: Header: Reading at byte position 68
spi_unified2.c:157: Header: Type=2 (178 bytes)
spi_unified2.c:175: Reading record type=2 (178 bytes)
spi_unified2.c:187: Record: Reading at byte position 76
spi_unified2.c:336: Type: Packet
------------------------------------------
spi_unified2.c:338: sensor_id = 0
spi_unified2.c:340: event_id = 1
spi_unified2.c:342: event_second = 1328041711
spi_unified2.c:344: linktype = 1
spi_unified2.c:346: packet_second = 1328041711
spi_unified2.c:348: packet_microsecond = 435772
spi_unified2.c:350: packet_length = 150
spi_unified2.c:355: packet = 03 ba 0e 7a
decode.c:113: Decoding linktype 1
decode.c:318: Packet!
decode.c:318: caplen: 150 pktlen: 150
decode.c:345: 0:D0:5:96:43:FC -> 0:3:BA:E:7A:94
decode.c:349: type:0x800 len:0x96
decode.c:359: IP datagram size calculated to be 136 bytes
decode.c:2661: Packet!
decode.c:2835: IP Checksum: OK
decode.c:2912: IP header length: 20
decode.c:3036: TCP th_off is 5, passed len is 116
Bus Error(coredump)
any pointers?
If I set the output to tcpdump, it processes the file... (it gives
some warnings about size mismatch though)
Is there a way I can verify that the unified2 file is 'correct'? I
did get some warnings like this:
(snort_decoder) WARNING: IP dgm len > captured len
when I created the unified2 file in snort..
Thanks,
Luis
beenph
Feb 2, 2012, 1:04:39 PM2/2/12
to barnyar...@googlegroups.com
What does u2spewfoo say's when reading your file ? it comes with snort
in /tools/u2spewfoo
-elz
>
>
> Thanks,
>
>
> Luis
Luis
Feb 2, 2012, 1:18:10 PM2/2/12
to barnyard2-devel
I get a bunch of output... (partial output pasted and sanitized below
- ips to 1.1.1.1)
# ./u2spewfoo /var/log/snort/merged.log.1327628483
(Event)
sensor id: 0 event id: 1 event second: 1327628483 event microsecond:
113303
sig id: 385 gen id: 1 revision: 4 classification: 4
priority: 2 ip source: 1.1.1.1 ip destination: 1.1.1.1
src port: 8 dest port: 0 protocol: 1 impact_flag: 0 blocked: 0
Packet
sensor id: 0 event id: 1 event second: 1327628483
packet second: 1327628483 packet microsecond: 113303
linktype: 1 packet_length: 60
[ 0] 00 00 0C 07 AC 01 00 03 BA 0E 7A 94 08 00 45
00 ..........z...E.
[ 16] 00 24 F7 46 00 00 01 01 99 B8 A6 60 EE 0E A6 60 .
$.F.......`...`
[ 32] EE 0A 08 00 EF D9 A2 03 C1 08 1A 87 78 5E 00
00 ............x^..
[ 48] 12 34 00 00 00 00 00 00 00 00 00 00 .4..........
(Event)
sensor id: 0 event id: 2 event second: 1327628483 event microsecond:
113303
sig id: 384 gen id: 1 revision: 5 classification: 29
priority: 3 ip source: 1.1.1.1 ip destination: 1.1.1.1
src port: 8 dest port: 0 protocol: 1 impact_flag: 0 blocked: 0
Packet
sensor id: 0 event id: 2 event second: 1327628483
packet second: 1327628483 packet microsecond: 113303
linktype: 1 packet_length: 60
[ 0] 00 00 0C 07 AC 01 00 03 BA 0E 7A 94 08 00 45
00 ..........z...E.
[ 16] 00 24 F7 46 00 00 01 01 99 B8 A6 60 EE 0E A6 60 .
$.F.......`...`
[ 32] EE 0A 08 00 EF D9 A2 03 C1 08 1A 87 78 5E 00
00 ............x^..
[ 48] 12 34 00 00 00 00 00 00 00 00 00 00 .4..........
(Event)
...
Luis
- ips to 1.1.1.1)
# ./u2spewfoo /var/log/snort/merged.log.1327628483
(Event)
sensor id: 0 event id: 1 event second: 1327628483 event microsecond:
113303
sig id: 385 gen id: 1 revision: 4 classification: 4
priority: 2 ip source: 1.1.1.1 ip destination: 1.1.1.1
src port: 8 dest port: 0 protocol: 1 impact_flag: 0 blocked: 0
Packet
sensor id: 0 event id: 1 event second: 1327628483
packet second: 1327628483 packet microsecond: 113303
linktype: 1 packet_length: 60
[ 0] 00 00 0C 07 AC 01 00 03 BA 0E 7A 94 08 00 45
00 ..........z...E.
[ 16] 00 24 F7 46 00 00 01 01 99 B8 A6 60 EE 0E A6 60 .
$.F.......`...`
[ 32] EE 0A 08 00 EF D9 A2 03 C1 08 1A 87 78 5E 00
00 ............x^..
[ 48] 12 34 00 00 00 00 00 00 00 00 00 00 .4..........
(Event)
sensor id: 0 event id: 2 event second: 1327628483 event microsecond:
113303
sig id: 384 gen id: 1 revision: 5 classification: 29
priority: 3 ip source: 1.1.1.1 ip destination: 1.1.1.1
src port: 8 dest port: 0 protocol: 1 impact_flag: 0 blocked: 0
Packet
sensor id: 0 event id: 2 event second: 1327628483
packet second: 1327628483 packet microsecond: 113303
linktype: 1 packet_length: 60
[ 0] 00 00 0C 07 AC 01 00 03 BA 0E 7A 94 08 00 45
00 ..........z...E.
[ 16] 00 24 F7 46 00 00 01 01 99 B8 A6 60 EE 0E A6 60 .
$.F.......`...`
[ 32] EE 0A 08 00 EF D9 A2 03 C1 08 1A 87 78 5E 00
00 ............x^..
[ 48] 12 34 00 00 00 00 00 00 00 00 00 00 .4..........
(Event)
...
Luis
beenph
Feb 2, 2012, 1:25:09 PM2/2/12
to barnyar...@googlegroups.com
On Thu, Feb 2, 2012 at 1:18 PM, Luis <luis....@gmail.com> wrote:
> I get a bunch of output... (partial output pasted and sanitized below
> - ips to 1.1.1.1)
>
>
> # ./u2spewfoo /var/log/snort/merged.log.1327628483
>
> I get a bunch of output... (partial output pasted and sanitized below
> - ips to 1.1.1.1)
>
>
> # ./u2spewfoo /var/log/snort/merged.log.1327628483
>
Then your unified2 file seem's fine,
you mentionned that when you set the output to tcpdump it work fine,
do you mean barnyard2 output plugin?
And under which plugin did you get the bus error?
What version of solaris do you use? (x86 or Sparc)?
-elz
Luis
Feb 2, 2012, 1:51:39 PM2/2/12
to barnyard2-devel
> you mentionned that when you set the output to tcpdump it work fine,
> do you mean barnyard2 output plugin?
(output log_tcpdump: <file>)
I do get the following 'warnings' but it completes
IP Len field is 10 bytes smaller than captured length.
(ip.len: 36, cap.len: 46)
IP Len field is 10 bytes smaller than captured length.
(ip.len: 36, cap.len: 46)
it also works under
output log_ascii
> And under which plugin did you get the bus error?
output_database
output alert_syslog
output alert_fast: stdout
> What version of solaris do you use? (x86 or Sparc)?
Luis
beenph
Feb 2, 2012, 1:56:30 PM2/2/12
to barnyar...@googlegroups.com
On Thu, Feb 2, 2012 at 1:51 PM, Luis <luis....@gmail.com> wrote:
>
>
>
>> you mentionned that when you set the output to tcpdump it work fine,
>> do you mean barnyard2 output plugin?
>
> barnyard2 output plugin, yes..
> (output log_tcpdump: <file>)
>
> I do get the following 'warnings' but it completes
>
> IP Len field is 10 bytes smaller than captured length.
> (ip.len: 36, cap.len: 46)
> IP Len field is 10 bytes smaller than captured length.
> (ip.len: 36, cap.len: 46)
>
> it also works under
> output log_ascii
>
>> And under which plugin did you get the bus error?
>
> I seem to get it under the following
>
> output_database
> output alert_syslog
> output alert_fast: stdout
>
>
Do you have gdb on your system?>
>
>
>> you mentionned that when you set the output to tcpdump it work fine,
>> do you mean barnyard2 output plugin?
>
> barnyard2 output plugin, yes..
> (output log_tcpdump: <file>)
>
> I do get the following 'warnings' but it completes
>
> IP Len field is 10 bytes smaller than captured length.
> (ip.len: 36, cap.len: 46)
> IP Len field is 10 bytes smaller than captured length.
> (ip.len: 36, cap.len: 46)
>
> it also works under
> output log_ascii
>
>> And under which plugin did you get the bus error?
>
> I seem to get it under the following
>
> output_database
> output alert_syslog
> output alert_fast: stdout
>
>
If you find the core file can you do
gdb -c (path to core file) (path to barnyard2 binary)
then type bt and send me the output?
>> What version of solaris do you use? (x86 or Sparc)?
>
> Sol 10 Sparc
>
Ok ...go no sparc box to test it on so mabey we will need your help to
get it to actually work.
-elz
Luis
Feb 2, 2012, 2:43:42 PM2/2/12
to barnyard2-devel
here's the bt for the database output...
#0 0x00058acc in Database ()
(gdb) bt
#0 0x00058acc in Database ()
#1 0x00038fcc in CallOutputPlugins ()
#2 0x0003a7e8 in spoolerProcessRecord ()
#3 0x00039c0c in ProcessBatch ()
#4 0x000175b8 in Barnyard2Main ()
#5 0x000172f8 in main ()
(gdb)
also, simiilarly for the alert_syslog plugin
#0 0x0004daec in AlertSyslog ()
(gdb) bt
#0 0x0004daec in AlertSyslog ()
#1 0x00038f74 in CallOutputPlugins ()
#2 0x0003a7e8 in spoolerProcessRecord ()
#3 0x00039c0c in ProcessBatch ()
#4 0x000175b8 in Barnyard2Main ()
#5 0x000172f8 in main ()
(gdb)
sure thing, just let me know what to do. :-)
#0 0x00058acc in Database ()
(gdb) bt
#0 0x00058acc in Database ()
#1 0x00038fcc in CallOutputPlugins ()
#2 0x0003a7e8 in spoolerProcessRecord ()
#3 0x00039c0c in ProcessBatch ()
#4 0x000175b8 in Barnyard2Main ()
#5 0x000172f8 in main ()
(gdb)
also, simiilarly for the alert_syslog plugin
#0 0x0004daec in AlertSyslog ()
(gdb) bt
#0 0x0004daec in AlertSyslog ()
#1 0x00038f74 in CallOutputPlugins ()
#2 0x0003a7e8 in spoolerProcessRecord ()
#3 0x00039c0c in ProcessBatch ()
#4 0x000175b8 in Barnyard2Main ()
#5 0x000172f8 in main ()
(gdb)
sure thing, just let me know what to do. :-)
Luis
Feb 6, 2012, 12:54:18 PM2/6/12
to barnyard2-devel
just to 'close the loop' on this, managed to get barnyard2 to compile
and run on Solaris 10 (Sparc) thanks to beenph .
here are the diffs for the two files that were modified.. (plugbase.h
and barnyard2.c)
$ /usr/local/bin/diff -rupN plugbase.h plugbase.h.orig
--- barnyard2.c 2012-02-02 21:16:45.000000000 -0500
+++ barnyard2.c.orig 2011-12-07 14:02:30.000000000 -0500
@@ -257,10 +257,6 @@ static void SigHupHandler(int);
*/
int main(int argc, char *argv[])
{
-/* suggestion for "relief" to get this to work
-*/
-asm("ta\t6");
-
#if defined(WIN32) && defined(ENABLE_WIN32_SERVICE)
/* Do some sanity checking, because some people seem to forget to
* put spaces between their parameters
Hope it helps other folks that might want to use it on solaris.
:-)
Luis
and run on Solaris 10 (Sparc) thanks to beenph .
here are the diffs for the two files that were modified.. (plugbase.h
and barnyard2.c)
$ /usr/local/bin/diff -rupN plugbase.h plugbase.h.orig
--- plugbase.h 2012-01-26 16:05:45.000000000 -0500
+++ plugbase.h.orig 2011-12-07 14:02:30.000000000 -0500
@@ -47,7 +47,6 @@
#if !defined(__SOLARIS__) && !defined(__CYGWIN32__) && !
defined(__CYGWIN__) && \
!defined( __CYGWIN64__)
-#include <net/if.h>
#include <net/route.h>
#endif
$ /usr/local/bin/diff -rupN barnyard2.c barnyard2.c.orig
+++ plugbase.h.orig 2011-12-07 14:02:30.000000000 -0500
@@ -47,7 +47,6 @@
#if !defined(__SOLARIS__) && !defined(__CYGWIN32__) && !
defined(__CYGWIN__) && \
!defined( __CYGWIN64__)
-#include <net/if.h>
#include <net/route.h>
#endif
--- barnyard2.c 2012-02-02 21:16:45.000000000 -0500
+++ barnyard2.c.orig 2011-12-07 14:02:30.000000000 -0500
@@ -257,10 +257,6 @@ static void SigHupHandler(int);
*/
int main(int argc, char *argv[])
{
-/* suggestion for "relief" to get this to work
-*/
-asm("ta\t6");
-
#if defined(WIN32) && defined(ENABLE_WIN32_SERVICE)
/* Do some sanity checking, because some people seem to forget to
* put spaces between their parameters
Hope it helps other folks that might want to use it on solaris.
:-)
Luis
beenph
Feb 7, 2012, 11:20:07 AM2/7/12
to barnyar...@googlegroups.com
Hey Luis, i might have found a solution other than setting the trap
handler, would you be willing to test it for us?
handler, would you be willing to test it for us?
-elz
beenph
Feb 7, 2012, 11:38:46 AM2/7/12
to barnyar...@googlegroups.com
On Tue, Feb 7, 2012 at 11:20 AM, beenph <bee...@gmail.com> wrote:
> Hey Luis, i might have found a solution other than setting the trap
> handler, would you be willing to test it for us?
>
> -elz
>
> Hey Luis, i might have found a solution other than setting the trap
> handler, would you be willing to test it for us?
>
> -elz
>
Also i would like to know which compiler do you use sun cc or gcc?
Luis
Feb 9, 2012, 9:45:07 AM2/9/12
to barnyard2-devel
sure thing, let me know what to do..
I have the 'sun-delivered' gcc by the way..
$ gcc --version
gcc (GCC) 3.4.3 (csl-sol210-3_4-branch+sol_rpath)
I have the 'sun-delivered' gcc by the way..
$ gcc --version
gcc (GCC) 3.4.3 (csl-sol210-3_4-branch+sol_rpath)
Reply all
Reply to author
Forward
0 new messages