• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Problem with Barnyard2

Scheduled Pinned Locked Moved pfSense Packages
5 Posts 2 Posters 2.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    Atlantisman
    last edited by May 21, 2014, 11:36 PM

    Hello,

    I upgraded to the most recent snort packages and i am having a problem with getting barnyard2 to start here are the logs i get:

    May 21 17:34:33 barnyard2[43706]: FATAL ERROR: database [ConvertReferenceCache()], Failed a call to snort_escape_string_STATIC() for string : [ET WEB_SERVER /bin/], Exiting.
    May 21 17:34:26 barnyard2[43099]: Daemon parent exiting
    May 21 17:34:25 barnyard2[43706]: Writing PID "43706" to file "/var/run/barnyard2_em154818.pid"
    May 21 17:34:25 barnyard2[43706]: PID path stat checked out ok, PID path set to /var/run
    May 21 17:34:25 barnyard2[43706]: Daemon initialized, signaled parent pid: 43099
    May 21 17:34:25 barnyard2[43099]: Initializing daemon mode
    May 21 17:34:25 barnyard2[43099]: INFO database: Defaulting Reconnect sleep time to 5 second
    May 21 17:34:25 barnyard2[43099]: INFO database: Defaulting Reconnect/Transaction Error limit to 10
    May 21 17:34:25 barnyard2[43099]: Log directory = /var/log/snort/snort_em154818
    May 21 17:34:25 barnyard2[43099]: Barnyard2 spooler: Event cache size set to [8192]
    May 21 17:34:25 barnyard2[43099]: Found pid path directive (/var/run)
    May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec 'DNP3_RESERVED_FUNCTION'. Ignored
    May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec '0'. Ignored
    May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec 'protocol-command-decode'. Ignored
    May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec '1'. Ignored
    May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec 'DNP3_RESERVED_ADDRESS'. Ignored
    May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec '0'. Ignored
    May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec 'protocol-command-decode'. Ignored
    May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec '1'. Ignored
    May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec 'DNP3_REASSEMBLY_BUFFER_CLEARED'. Ignored
    May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec '0'. Ignored
    May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec 'protocol-command-decode'. Ignored
    May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec '1'. Ignored
    May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec 'DNP3_DROPPED_SEGMENT'. Ignored
    May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec '0'. Ignored
    May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec 'protocol-command-decode'. Ignored

    I am connecting it to a mysql database that is on another host and has BASE configured on it for viewing the logs. Any help would be great.

    Thanks.

    1 Reply Last reply Reply Quote 0
    • B
      bmeeks
      last edited by May 22, 2014, 3:14 AM

      @Atlantisman:

      Hello,

      I upgraded to the most recent snort packages and i am having a problem with getting barnyard2 to start here are the logs i get:

      May 21 17:34:33 barnyard2[43706]: FATAL ERROR: database [ConvertReferenceCache()], Failed a call to snort_escape_string_STATIC() for string : [ET WEB_SERVER /bin/], Exiting.
      May 21 17:34:26 barnyard2[43099]: Daemon parent exiting
      May 21 17:34:25 barnyard2[43706]: Writing PID "43706" to file "/var/run/barnyard2_em154818.pid"
      May 21 17:34:25 barnyard2[43706]: PID path stat checked out ok, PID path set to /var/run
      May 21 17:34:25 barnyard2[43706]: Daemon initialized, signaled parent pid: 43099
      May 21 17:34:25 barnyard2[43099]: Initializing daemon mode
      May 21 17:34:25 barnyard2[43099]: INFO database: Defaulting Reconnect sleep time to 5 second
      May 21 17:34:25 barnyard2[43099]: INFO database: Defaulting Reconnect/Transaction Error limit to 10
      May 21 17:34:25 barnyard2[43099]: Log directory = /var/log/snort/snort_em154818
      May 21 17:34:25 barnyard2[43099]: Barnyard2 spooler: Event cache size set to [8192]
      May 21 17:34:25 barnyard2[43099]: Found pid path directive (/var/run)
      May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec 'DNP3_RESERVED_FUNCTION'. Ignored
      May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec '0'. Ignored
      May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec 'protocol-command-decode'. Ignored
      May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec '1'. Ignored
      May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec 'DNP3_RESERVED_ADDRESS'. Ignored
      May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec '0'. Ignored
      May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec 'protocol-command-decode'. Ignored
      May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec '1'. Ignored
      May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec 'DNP3_REASSEMBLY_BUFFER_CLEARED'. Ignored
      May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec '0'. Ignored
      May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec 'protocol-command-decode'. Ignored
      May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec '1'. Ignored
      May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec 'DNP3_DROPPED_SEGMENT'. Ignored
      May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec '0'. Ignored
      May 21 17:34:25 barnyard2[43099]: WARNING: invalid Reference spec 'protocol-command-decode'. Ignored

      I am connecting it to a mysql database that is on another host and has BASE configured on it for viewing the logs. Any help would be great.

      Thanks.

      From the looks of those messages it appears you are running at least one of the SCADA rule sets (DNP3).  If so, you would be one of the first folks I've heard of using that rule set (and the associated DNP3 and/or MODBUS preprocessors).  The final FATAL ERROR message indicates to me Barnyard2 is choking on something in the REFERENCES field of one or more rules.

      Bill

      1 Reply Last reply Reply Quote 0
      • B
        bmeeks
        last edited by May 22, 2014, 12:44 PM

        Also, what version of pfSense are you running?

        Bill

        1 Reply Last reply Reply Quote 0
        • A
          Atlantisman
          last edited by May 22, 2014, 8:38 PM

          I am on 2.1.3 i386, it looks like barnyard2 was having a problem with the SCADA rules and at least one other rule set. I took everything back to only VRT rules and barnyard started right up.

          Thanks.

          1 Reply Last reply Reply Quote 0
          • B
            bmeeks
            last edited by May 23, 2014, 12:44 AM

            @Atlantisman:

            I am on 2.1.3 i386, it looks like barnyard2 was having a problem with the SCADA rules and at least one other rule set. I took everything back to only VRT rules and barnyard started right up.

            Thanks.

            I can investigate the SCADA rules.  Those particular messages in your log post were just warnings, though.  They would not prevent a startup.  It was that fatal error trying to read one of the Emerging Threats Web Server rules that killed it.  The ET rules have had a few errors creep into them lately, and Snort (and now apparently Barnyard2 as well) can choke and refuse to start up if a rule with an error is encountered.

            Bill

            1 Reply Last reply Reply Quote 0
            1 out of 5
            • First post
              1/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received