Help with latest Snort + Barnyard2



  • I am having a strange error in my logs for Barnyard2.

    barnyard2[34659]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_19483_em4/barnyard2.conf(11) Unknown config directive: event_cache_size.

    I've searched everywhere and I can't seem to find any help. I've completely uninstalled the Snort package + upgraded my pfSense installation to the latest version, still no luck. I also made sure I cleared all my config files from my server as well.

    Commenting out the line in the .conf file does nothing as the WebUI adds that line back in every time I try and restart the service.



  • @sk_leb:

    I am having a strange error in my logs for Barnyard2.

    barnyard2[34659]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_19483_em4/barnyard2.conf(11) Unknown config directive: event_cache_size.

    I've searched everywhere and I can't seem to find any help. I've completely uninstalled the Snort package + upgraded my pfSense installation to the latest version, still no luck. I also made sure I cleared all my config files from my server as well.

    Commenting out the line in the .conf file does nothing as the WebUI adds that line back in every time I try and restart the service.

    One other user reported this error a while back.  I asked him a question about his Barnyard2 version, but never got a reply.

    This is a valid configuration parameter for Barnyard2 1.13 that is used with Snort (and Suricata) on pfSense.  So my first guess is maybe somehow your installation is using an older version of Barnyard2 ??

    Do this –

    Get to the console (either directory or via SSH) and type this command:

    barnyard2 -V
    

    Post back the output.  Also post the contents of this file for me:

    /usr/pbi/snort-amd64/etc/snort/snort_19483_em4/barnyard2.conf
    

    Bill



  • I know this is late, but we've encountered a similar problem with one of our pfsense firewalls.

    barnyard2 -V

    ______  -> Barnyard2 <-
    / ,,_  \  Version 2.1.9 (Build 263)
    |o"  )~|  By the SecurixLive.com Team: http://www.securixlive.com/about.php

    • '''' +  (C) Copyright 2008-2010 SecurixLive.

    Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html
              (C) Copyright 1998-2007 Sourcefire Inc., et al.

    We have two interfaces, I'm posting the barnyard config of both….

    cat /usr/pbi/snort-i386/etc/snort/snort_11975_bce0/barnyard2.conf

    #  barnyard2.conf
    #  barnyard2 can be found at http://www.securixlive.com/barnyard2/index.php

    General Barnyard2 settings

    config quiet
    config daemon
    config decode_data_link
    config alert_with_interface_name
    config event_cache_size:    8192
    config show_year
    config archivedir:          /var/log/snort/snort_bce011975/barnyard2/archive
    config reference_file:     /usr/pbi/snort-i386/etc/snort/snort_11975_bce0/reference.config
    config classification_file: /usr/pbi/snort-i386/etc/snort/snort_11975_bce0/classification.config
    config sid_file:     /usr/pbi/snort-i386/etc/snort/snort_11975_bce0/sid-msg.map
    config gen_file:            /usr/pbi/snort-i386/etc/snort/snort_11975_bce0/gen-msg.map
    config hostname:            one-ofmyfirewalls.mycompany.com
    config interface:          bce0
    config waldo_file:          /var/log/snort/snort_bce011975/barnyard2/11975_bce0.waldo
    config logdir:              /var/log/snort/snort_bce011975

    START user pass through

    END user pass through

    Setup input plugins

    input unified2

    Setup output plugins

    syslog_full: log to a syslog receiver

    output alert_syslog_full: sensor_name one-ofmyfirewalls.mycompany.com, server syslog-server.mycompany.com, protocol udp, port 514, operation_mode default, log_facility LOG_LOCAL1, log_priority LOG_ALERT

    cat /usr/pbi/snort-i386/etc/snort/snort_61387_em0/barnyard2.conf

    #  barnyard2.conf
    #  barnyard2 can be found at http://www.securixlive.com/barnyard2/index.php

    General Barnyard2 settings

    config quiet
    config daemon
    config decode_data_link
    config alert_with_interface_name
    config event_cache_size:    8192
    config show_year
    config archivedir:          /var/log/snort/snort_em061387/barnyard2/archive
    config reference_file:     /usr/pbi/snort-i386/etc/snort/snort_61387_em0/reference.config
    config classification_file: /usr/pbi/snort-i386/etc/snort/snort_61387_em0/classification.config
    config sid_file:     /usr/pbi/snort-i386/etc/snort/snort_61387_em0/sid-msg.map
    config gen_file:            /usr/pbi/snort-i386/etc/snort/snort_61387_em0/gen-msg.map
    config hostname:            one-ofmyfirewalls.mycompany.com
    config interface:          em0
    config waldo_file:          /var/log/snort/snort_em061387/barnyard2/61387_em0.waldo
    config logdir:              /var/log/snort/snort_em061387

    START user pass through

    END user pass through

    Setup input plugins

    input unified2

    Setup output plugins

    syslog_full: log to a syslog receiver

    output alert_syslog_full: sensor_name one-ofmyfirewalls.mycompany.com, server syslog-server.mycompany.com, protocol udp, port 514, operation_mode default, log_facility LOG_LOCAL1, log_priority LOG_ALERT

    Please and Thank you.



  • If you mean you are getting the "unknown config directive: event_cache_size" error, then you have an older version of Barnyard2 somewhere that is starting up.  Snort installs the 2.1.3 version of Barnyard2, and this version recognizes the "event_cache_size" directive.

    Uninstall the Snort package (be sure to check the box on the GLOBAL SETTINGS tab to save the Snort configuration when uninstalling the package so you won't lose your settings).

    Then go on a hunt for barnyard2 binaries on your system. I'm guessing you will find one or more someplace, and the version will be older than 2.1.3.  Remove all barnyard2 traces from your system, then reinstall Snort and you will be OK.

    This error is caused by an older Barnyard2 executable getting started instead of the one installed by the Snort package.

    Bill



  • mv /usr/pbi/snort-amd64/bin/barnyard2 /usr/local/bin/barnyard2



  • @hescalona:

    mv /usr/pbi/snort-amd64/bin/barnyard2 /usr/local/bin/barnyard2

    Yep, this should fix it by copying the latest barnyard2 binary over top of any older version lurking in /usr/local/bin.

    Bill