Snort > Barnyard2 >syslog fatal error
-
Hello,
I have Snort package running for very long time, since the last update package to ver 3.2.9.6_1 I have a fatal error as shown below, I tried to delete/recreate Snort interface, it works for few min/sec and then stops.
Any idea what causing the issue , please advice
Thanks–---event from log
Mar 6 10:50:05 barnyard2 57137 Barnyard2 exiting
Mar 6 10:50:05 barnyard2 57137 FATAL ERROR: [Syslog_FormatIPHeaderLog()], strlcpy() error , bailing
Mar 6 10:50:05 barnyard2 57137 OpSyslog_Log(): Is currently unable to handle Event Type [72]
Mar 6 10:50:05 barnyard2 57137 Opened spool file '/var/log/snort/snort_igb15944/snort_5944_igb1.u2.1519272335'
Mar 6 10:50:05 barnyard2 57137 Using waldo file '/var/log/snort/snort_igb15944/barnyard2/5944_igb1.waldo': spool directory = /var/log/snort/snort_igb15944 spool filebase = snort_5944_igb1.u2 time_stamp = 1519272335 record_idx = 21
-
The problem appears to be within Barnyard2. Notice that is where the error is generated according to the log message. Barnyard2 on FreeBSD (and thus on pfSense as well) is very old and not well supported. It will be removed from the Suricata package in the near future, and I'm considering doing the same for Snort because Barnyard2 is so unreliable.
Your particular error message comes from Barnyard2 not being able to adequately handle IPv6 events. Here is a thread link to an open bug report on Github for this issue. Notice the date is 2015 and still no action, so that's what I mean by Barnyard2 being poorly supported.
https://github.com/firnsy/barnyard2/issues/144
Bill
