Help with latest Snort + Barnyard2
-
I am having a strange error in my logs for Barnyard2.
barnyard2[34659]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_19483_em4/barnyard2.conf(11) Unknown config directive: event_cache_size.
I've searched everywhere and I can't seem to find any help. I've completely uninstalled the Snort package + upgraded my pfSense installation to the latest version, still no luck. I also made sure I cleared all my config files from my server as well.
Commenting out the line in the .conf file does nothing as the WebUI adds that line back in every time I try and restart the service.
-
I am having a strange error in my logs for Barnyard2.
barnyard2[34659]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_19483_em4/barnyard2.conf(11) Unknown config directive: event_cache_size.
I've searched everywhere and I can't seem to find any help. I've completely uninstalled the Snort package + upgraded my pfSense installation to the latest version, still no luck. I also made sure I cleared all my config files from my server as well.
Commenting out the line in the .conf file does nothing as the WebUI adds that line back in every time I try and restart the service.
One other user reported this error a while back. I asked him a question about his Barnyard2 version, but never got a reply.
This is a valid configuration parameter for Barnyard2 1.13 that is used with Snort (and Suricata) on pfSense. So my first guess is maybe somehow your installation is using an older version of Barnyard2 ??
Do this –
Get to the console (either directory or via SSH) and type this command:
barnyard2 -VPost back the output. Also post the contents of this file for me:
/usr/pbi/snort-amd64/etc/snort/snort_19483_em4/barnyard2.confBill
-
I know this is late, but we've encountered a similar problem with one of our pfsense firewalls.
barnyard2 -V
______ -> Barnyard2 <-
/ ,,_ \ Version 2.1.9 (Build 263)
|o" )~| By the SecurixLive.com Team: http://www.securixlive.com/about.php- '''' + (C) Copyright 2008-2010 SecurixLive.
Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2007 Sourcefire Inc., et al.We have two interfaces, I'm posting the barnyard config of both….
cat /usr/pbi/snort-i386/etc/snort/snort_11975_bce0/barnyard2.conf
# barnyard2.conf
# barnyard2 can be found at http://www.securixlive.com/barnyard2/index.phpGeneral Barnyard2 settings
config quiet
config daemon
config decode_data_link
config alert_with_interface_name
config event_cache_size: 8192
config show_year
config archivedir: /var/log/snort/snort_bce011975/barnyard2/archive
config reference_file: /usr/pbi/snort-i386/etc/snort/snort_11975_bce0/reference.config
config classification_file: /usr/pbi/snort-i386/etc/snort/snort_11975_bce0/classification.config
config sid_file: /usr/pbi/snort-i386/etc/snort/snort_11975_bce0/sid-msg.map
config gen_file: /usr/pbi/snort-i386/etc/snort/snort_11975_bce0/gen-msg.map
config hostname: one-ofmyfirewalls.mycompany.com
config interface: bce0
config waldo_file: /var/log/snort/snort_bce011975/barnyard2/11975_bce0.waldo
config logdir: /var/log/snort/snort_bce011975START user pass through
END user pass through
Setup input plugins
input unified2
Setup output plugins
syslog_full: log to a syslog receiver
output alert_syslog_full: sensor_name one-ofmyfirewalls.mycompany.com, server syslog-server.mycompany.com, protocol udp, port 514, operation_mode default, log_facility LOG_LOCAL1, log_priority LOG_ALERT
cat /usr/pbi/snort-i386/etc/snort/snort_61387_em0/barnyard2.conf
# barnyard2.conf
# barnyard2 can be found at http://www.securixlive.com/barnyard2/index.phpGeneral Barnyard2 settings
config quiet
config daemon
config decode_data_link
config alert_with_interface_name
config event_cache_size: 8192
config show_year
config archivedir: /var/log/snort/snort_em061387/barnyard2/archive
config reference_file: /usr/pbi/snort-i386/etc/snort/snort_61387_em0/reference.config
config classification_file: /usr/pbi/snort-i386/etc/snort/snort_61387_em0/classification.config
config sid_file: /usr/pbi/snort-i386/etc/snort/snort_61387_em0/sid-msg.map
config gen_file: /usr/pbi/snort-i386/etc/snort/snort_61387_em0/gen-msg.map
config hostname: one-ofmyfirewalls.mycompany.com
config interface: em0
config waldo_file: /var/log/snort/snort_em061387/barnyard2/61387_em0.waldo
config logdir: /var/log/snort/snort_em061387START user pass through
END user pass through
Setup input plugins
input unified2
Setup output plugins
syslog_full: log to a syslog receiver
output alert_syslog_full: sensor_name one-ofmyfirewalls.mycompany.com, server syslog-server.mycompany.com, protocol udp, port 514, operation_mode default, log_facility LOG_LOCAL1, log_priority LOG_ALERT
Please and Thank you.
-
If you mean you are getting the "unknown config directive: event_cache_size" error, then you have an older version of Barnyard2 somewhere that is starting up. Snort installs the 2.1.3 version of Barnyard2, and this version recognizes the "event_cache_size" directive.
Uninstall the Snort package (be sure to check the box on the GLOBAL SETTINGS tab to save the Snort configuration when uninstalling the package so you won't lose your settings).
Then go on a hunt for barnyard2 binaries on your system. I'm guessing you will find one or more someplace, and the version will be older than 2.1.3. Remove all barnyard2 traces from your system, then reinstall Snort and you will be OK.
This error is caused by an older Barnyard2 executable getting started instead of the one installed by the Snort package.
Bill
-
mv /usr/pbi/snort-amd64/bin/barnyard2 /usr/local/bin/barnyard2
-
mv /usr/pbi/snort-amd64/bin/barnyard2 /usr/local/bin/barnyard2
Yep, this should fix it by copying the latest barnyard2 binary over top of any older version lurking in /usr/local/bin.
Bill
