Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problem with Barnyard2

    Scheduled Pinned Locked Moved pfSense Packages
    5 Posts 2 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Atlantisman
      last edited by

      Hello,

      I upgraded to the most recent snort packages and i am having a problem with getting barnyard2 to start here are the logs i get:

      May 21 17:34:33 barnyard2[43706]: FATAL ERROR: database [ConvertReferenceCache()], Failed a call to snort_escape_string_STATIC() for string : [ET WEB_SERVER /bin/], Exiting.
      May 21 17:34:26 barnyard2[43099]: Daemon parent exiting
      May 21 17:34:25 barnyard2[43706]: Writing PID "43706" to file "/var/run/barnyard2_em154818.pid"
      May 21 17:34:25 barnyard2[43706]: PID path stat checked out ok, PID path set to /var/run
      May 21 17:34:25 barnyard2[43706]: Daemon initialized, signaled parent pid: 43099
      May 21 17:34:25 barnyard2[43099]: Initializing daemon mode
      May 21 17:34:25 barnyard2[43099]: INFO database: Defaulting Reconnect sleep time to 5 second
      May 21 17:34:25 barnyard2[43099]: INFO database: Defaulting Reconnect/Transaction Error limit to 10
      May 21 17:34:25 barnyard2[43099]: Log directory = /var/log/snort/snort_em154818
      May 21 17:34:25 barnyard2[43099]: Barnyard2 spooler: Event cache size set to [8192]
      May 21 17:34:25 barnyard2[43099]: Found pid path directive (/var/run)
      May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec 'DNP3_RESERVED_FUNCTION'. Ignored
      May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec '0'. Ignored
      May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec 'protocol-command-decode'. Ignored
      May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec '1'. Ignored
      May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec 'DNP3_RESERVED_ADDRESS'. Ignored
      May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec '0'. Ignored
      May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec 'protocol-command-decode'. Ignored
      May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec '1'. Ignored
      May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec 'DNP3_REASSEMBLY_BUFFER_CLEARED'. Ignored
      May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec '0'. Ignored
      May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec 'protocol-command-decode'. Ignored
      May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec '1'. Ignored
      May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec 'DNP3_DROPPED_SEGMENT'. Ignored
      May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec '0'. Ignored
      May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec 'protocol-command-decode'. Ignored

      I am connecting it to a mysql database that is on another host and has BASE configured on it for viewing the logs. Any help would be great.

      Thanks.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @Atlantisman:

        Hello,

        I upgraded to the most recent snort packages and i am having a problem with getting barnyard2 to start here are the logs i get:

        May 21 17:34:33 barnyard2[43706]: FATAL ERROR: database [ConvertReferenceCache()], Failed a call to snort_escape_string_STATIC() for string : [ET WEB_SERVER /bin/], Exiting.
        May 21 17:34:26 barnyard2[43099]: Daemon parent exiting
        May 21 17:34:25 barnyard2[43706]: Writing PID "43706" to file "/var/run/barnyard2_em154818.pid"
        May 21 17:34:25 barnyard2[43706]: PID path stat checked out ok, PID path set to /var/run
        May 21 17:34:25 barnyard2[43706]: Daemon initialized, signaled parent pid: 43099
        May 21 17:34:25 barnyard2[43099]: Initializing daemon mode
        May 21 17:34:25 barnyard2[43099]: INFO database: Defaulting Reconnect sleep time to 5 second
        May 21 17:34:25 barnyard2[43099]: INFO database: Defaulting Reconnect/Transaction Error limit to 10
        May 21 17:34:25 barnyard2[43099]: Log directory = /var/log/snort/snort_em154818
        May 21 17:34:25 barnyard2[43099]: Barnyard2 spooler: Event cache size set to [8192]
        May 21 17:34:25 barnyard2[43099]: Found pid path directive (/var/run)
        May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec 'DNP3_RESERVED_FUNCTION'. Ignored
        May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec '0'. Ignored
        May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec 'protocol-command-decode'. Ignored
        May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec '1'. Ignored
        May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec 'DNP3_RESERVED_ADDRESS'. Ignored
        May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec '0'. Ignored
        May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec 'protocol-command-decode'. Ignored
        May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec '1'. Ignored
        May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec 'DNP3_REASSEMBLY_BUFFER_CLEARED'. Ignored
        May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec '0'. Ignored
        May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec 'protocol-command-decode'. Ignored
        May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec '1'. Ignored
        May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec 'DNP3_DROPPED_SEGMENT'. Ignored
        May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec '0'. Ignored
        May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec 'protocol-command-decode'. Ignored

        I am connecting it to a mysql database that is on another host and has BASE configured on it for viewing the logs. Any help would be great.

        Thanks.

        From the looks of those messages it appears you are running at least one of the SCADA rule sets (DNP3).  If so, you would be one of the first folks I've heard of using that rule set (and the associated DNP3 and/or MODBUS preprocessors).  The final FATAL ERROR message indicates to me Barnyard2 is choking on something in the REFERENCES field of one or more rules.

        Bill

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          Also, what version of pfSense are you running?

          Bill

          1 Reply Last reply Reply Quote 0
          • A
            Atlantisman
            last edited by

            I am on 2.1.3 i386, it looks like barnyard2 was having a problem with the SCADA rules and at least one other rule set. I took everything back to only VRT rules and barnyard started right up.

            Thanks.

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              @Atlantisman:

              I am on 2.1.3 i386, it looks like barnyard2 was having a problem with the SCADA rules and at least one other rule set. I took everything back to only VRT rules and barnyard started right up.

              Thanks.

              I can investigate the SCADA rules.  Those particular messages in your log post were just warnings, though.  They would not prevent a startup.  It was that fatal error trying to read one of the Emerging Threats Web Server rules that killed it.  The ET rules have had a few errors creep into them lately, and Snort (and now apparently Barnyard2 as well) can choke and refuse to start up if a rule with an error is encountered.

              Bill

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.