Barnyard2 OpSyslog_Alert(): Invoked with Packet[0x2f8bc00]…

highlandpeak

Hello all, I've been getting the following log entries starting with the snapshots and continuing on with the latest release:

Feb 9 08:52:35	barnyard2[10962]: OpSyslog_Alert(): Invoked with Packet[0x2f8bc00] Event[0x0] Event Type [0] Context pointer[0x2f27000]
Feb 9 08:52:35	barnyard2[10962]: OpSyslog_Alert(): Invoked with Packet[0x2f8bc00] Event[0x0] Event Type [0] Context pointer[0x2f27000]
Feb 9 08:52:35	barnyard2[10962]: OpSyslog_Alert(): Invoked with Packet[0x2f8bc00] Event[0x0] Event Type [0] Context pointer[0x2f27000]
Feb 9 08:52:35	barnyard2[10962]: OpSyslog_Alert(): Invoked with Packet[0x2f8bc00] Event[0x0] Event Type [0] Context pointer[0x2f27000]
Feb 9 08:52:35	barnyard2[10962]: OpSyslog_Alert(): Invoked with Packet[0x2f8bc00] Event[0x0] Event Type [0] Context pointer[0x2f27000]
Feb 9 08:52:35	barnyard2[10962]: OpSyslog_Alert(): Invoked with Packet[0x2f8bc00] Event[0x0] Event Type [0] Context pointer[0x2f27000]
Feb 9 08:52:35	barnyard2[10962]: OpSyslog_Alert(): Invoked with Packet[0x2f8bc00] Event[0x0] Event Type [0] Context pointer[0x2f27000]
Feb 9 08:52:35	barnyard2[10962]: OpSyslog_Alert(): Invoked with Packet[0x2f8bc00] Event[0x0] Event Type [0] Context pointer[0x2f27000]
Feb 9 08:52:35	barnyard2[10962]: OpSyslog_Alert(): Invoked with Packet[0x2f8bc00] Event[0x0] Event Type [0] Context pointer[0x2f27000]
Feb 9 08:52:35	barnyard2[10962]: OpSyslog_Alert(): Invoked with Packet[0x2f8bc00] Event[0x0] Event Type [0] Context pointer[0x2f27000]
Feb 9 08:52:35	barnyard2[10962]: OpSyslog_Alert(): Invoked with Packet[0x2f8bc00] Event[0x0] Event Type [0] Context pointer[0x2f27000]
Feb 9 08:52:35	barnyard2[10962]: OpSyslog_Alert(): Invoked with Packet[0x2f8bc00] Event[0x0] Event Type [0] Context pointer[0x2f27000]
Feb 9 08:52:35	barnyard2[10962]: OpSyslog_Alert(): Invoked with Packet[0x2f8bc00] Event[0x0] Event Type [0] Context pointer[0x2f27000]
Feb 9 08:52:35	barnyard2[10962]: OpSyslog_Alert(): Invoked with Packet[0x2f8bc00] Event[0x0] Event Type [0] Context pointer[0x2f27000]
Feb 9 08:52:35	barnyard2[10962]: OpSyslog_Alert(): Invoked with Packet[0x2f8bc00] Event[0x0] Event Type [0] Context pointer[0x2f27000]
Feb 9 08:52:35	barnyard2[10962]: OpSyslog_Alert(): Invoked with Packet[0x2f8bc00] Event[0x0] Event Type [0] Context pointer[0x2f27000]
Feb 9 08:52:35	barnyard2[10962]: OpSyslog_Alert(): Invoked with Packet[0x2f8bc00] Event[0x0] Event Type [0] Context pointer[0x2f27000]
Feb 9 08:52:35	barnyard2[10962]: OpSyslog_Alert(): Invoked with Packet[0x2f8bc00] Event[0x0] Event Type [0] Context pointer[0x2f27000]
Feb 9 08:52:35	barnyard2[10962]: OpSyslog_Alert(): Invoked with Packet[0x2f8bc00] Event[0x0] Event Type [0] Context pointer[0x2f27000]
Feb 9 08:52:35	barnyard2[10962]: OpSyslog_Alert(): Invoked with Packet[0x2f8bc00] Event[0x0] Event Type [0] Context pointer[0x2f27000]
Feb 9 08:52:35	barnyard2[10962]: OpSyslog_Alert(): Invoked with Packet[0x2f8bc00] Event[0x0] Event Type [0] Context pointer[0x2f27000]

Can anybody tell me what this means? I've searched but found nothing appropriate.

The entries are usually either singular or in groups of two or three.

Using Snort and pfBlockerNG.

Running:
2.2-RELEASE (amd64)
built on Thu Jan 22 14:03:54 CST 2015
FreeBSD 10.1-RELEASE-p4

Thanks,

Bruce

BBcan177

Hi Bruce, I don't use Barnyard, but you can see some details here. Not sure if its related? You can also search the Barnyard Google group for any other threads…

https://groups.google.com/forum/#!topic/barnyard2-users/0g6TU4zUunU

highlandpeak

I was able to find that in searching but it seemed to relate to ipv6 and or Vlan/mpls with type 105 and 104. My logs refer to type 0 and I don't have vlan or mpls configured.

Do you suppose that the log entries are informational only - relating to my configuration or maybe from current limitations of Snort/barnyard, as opposed to some failure and thus a security breach?

Bruce

bmeeks

@highlandpeak:

I was able to find that in searching but it seemed to relate to ipv6 and or Vlan/mpls with type 105 and 104. My logs refer to type 0 and I don't have vlan or mpls configured.

Do you suppose that the log entries are informational only - relating to my configuration or maybe from current limitations of Snort/barnyard, as opposed to some failure and thus a security breach?

Bruce

I use Barnyard2 logging (to Snorby) and I have not seen any errors like that.  It might be something related to IPv6 alerts, but that's just a guess.

To be honest I am becoming less enthused about Barnyard2 as time goes on.  It seems to have some database concurrency issues, and on my box at least it runs the CPU to 75% and holds it there for about 15 minutes following each Barnyard2 restart while it does some sort of indexing/re-indexing of rule references to SIDs using the sid-msg.map files.

The update cycle for Barnyard2 also seems a bit slow from what I can tell.  I am working on a Logstash Forwarder package for pfSense (mainly to go with Suricata's EVE JSON logging).  This looks to be a much better solution for exporting IDS logs to another box for analysis.  Maybe it can be adapted for Snort on pfSense.

Bill

floz

Maybe it is related to this issue I'm having: https://forum.pfsense.org/index.php?topic=88831.0

Both have Event[0x0] Event Type [​0] at the heart . . . . . ??

brandur

Hi
I'm sorry for digging this old tread up again. But I am pretty sure that I'm havin similar issues.
As you can see below. That is what is flooding my log.

Aug 3 10:41:14	barnyard2	93492	OpSyslog_Alert(): Invoked with Packet[0x389dc00] Event[0x0] Event Type [0] Context pointer[0x3839000]
Aug 3 10:36:50	barnyard2	93492	OpSyslog_Alert(): Invoked with Packet[0x389dc00] Event[0x0] Event Type [0] Context pointer[0x3839000]
Aug 3 10:36:48	barnyard2	93492	OpSyslog_Alert(): Invoked with Packet[0x389dc00] Event[0x0] Event Type [0] Context pointer[0x3839000]
Aug 3 10:36:48	barnyard2	93492	OpSyslog_Alert(): Invoked with Packet[0x389dc00] Event[0x0] Event Type [0] Context pointer[0x3839000]
Aug 3 10:36:04	barnyard2	93492	OpSyslog_Alert(): Invoked with Packet[0x389dc00] Event[0x0] Event Type [0] Context pointer[0x3839000]
Aug 3 10:36:01	barnyard2	93492	OpSyslog_Alert(): Invoked with Packet[0x389dc00] Event[0x0] Event Type [0] Context pointer[0x3839000]
Aug 3 10:36:01	barnyard2	93492	OpSyslog_Alert(): Invoked with Packet[0x389dc00] Event[0x0] Event Type [0] Context pointer[0x3839000]
Aug 3 10:30:16	barnyard2	93492	OpSyslog_Alert(): Invoked with Packet[0x389dc00] Event[0x0] Event Type [0] Context pointer[0x3839000]
Aug 3 10:30:16	barnyard2	93492	OpSyslog_Alert(): Invoked with Packet[0x389dc00] Event[0x0] Event Type [0] Context pointer[0x3839000]
Aug 3 10:30:09	barnyard2	93492	OpSyslog_Alert(): Invoked with Packet[0x389dc00] Event[0x0] Event Type [0] Context pointer[0x3839000]
Aug 3 10:29:26	barnyard2	93492	OpSyslog_Alert(): Invoked with Packet[0x389dc00] Event[0x0] Event Type [0] Context pointer[0x3839000]
Aug 3 10:29:26	barnyard2	93492	OpSyslog_Alert(): Invoked with Packet[0x389dc00] Event[0x0] Event Type [0] Context pointer[0x3839000]
Aug 3 10:29:26	barnyard2	93492	OpSyslog_Alert(): Invoked with Packet[0x389dc00] Event[0x0] Event Type [0] Context pointer[0x3839000]
Aug 3 10:29:04	barnyard2	93492	OpSyslog_Alert(): Invoked with Packet[0x389dc00] Event[0x0] Event Type [0] Context pointer[0x3839000]
Aug 3 10:29:04	barnyard2	93492	OpSyslog_Alert(): Invoked with Packet[0x389dc00] Event[0x0] Event Type [0] Context pointer[0x3839000]
Aug 3 10:28:29	barnyard2	93492	OpSyslog_Alert(): Invoked with Packet[0x389dc00] Event[0x0] Event Type [0] Context pointer[0x3839000]
Aug 3 10:28:26	barnyard2	93492	OpSyslog_Alert(): Invoked with Packet[0x389dc00] Event[0x0] Event Type [0] Context pointer[0x3839000]
Aug 3 10:27:03	barnyard2	93492	OpSyslog_Alert(): Invoked with Packet[0x389dc00] Event[0x0] Event Type [0] Context pointer[0x3839000]
Aug 3 10:25:29	barnyard2	93492	OpSyslog_Alert(): Invoked with Packet[0x389dc00] Event[0x0] Event Type [0] Context pointer[0x3839000]
Aug 3 10:25:29	barnyard2	93492	OpSyslog_Alert(): Invoked with Packet[0x389dc00] Event[0x0] Event Type [0] Context pointer[0x3839000]
Aug 3 10:25:27	barnyard2	93492	OpSyslog_Alert(): Invoked with Packet[0x389dc00] Event[0x0] Event Type [0] Context pointer[0x3839000]
Aug 3 10:24:37	barnyard2	93492	OpSyslog_Alert(): Invoked with Packet[0x389dc00] Event[0x0] Event Type [0] Context pointer[0x3839000]
Aug 3 10:24:32	barnyard2	93492	OpSyslog_Alert(): Invoked with Packet[0x389dc00] Event[0x0] Event Type [0] Context pointer[0x3839000]
Aug 3 10:22:28	barnyard2	93492	OpSyslog_Alert(): Invoked with Packet[0x389dc00] Event[0x0] Event Type [0] Context pointer[0x3839000]
Aug 3 10:21:36	barnyard2	93492	OpSyslog_Alert(): Invoked with Packet[0x389dc00] Event[0x0] Event Type [0] Context pointer[0x3839000]
Aug 3 10:21:20	barnyard2	93492	OpSyslog_Alert(): Invoked with Packet[0x389dc00] Event[0x0] Event Type [0] Context pointer[0x3839000]
Aug 3 10:20:12	barnyard2	93492	OpSyslog_Alert(): Invoked with Packet[0x389dc00] Event[0x0] Event Type [0] Context pointer[0x3839000]
Aug 3 10:18:15	barnyard2	93492	OpSyslog_Alert(): Invoked with Packet[0x389dc00] Event[0x0] Event Type [0] Context pointer[0x3839000]
Aug 3 10:17:04	barnyard2	93492	OpSyslog_Alert(): Invoked with Packet[0x389dc00] Event[0x0] Event Type [0] Context pointer[0x3839000]
Aug 3 10:07:37	barnyard2	93492	OpSyslog_Alert(): Invoked with Packet[0x389dc00] Event[0x0] Event Type [0] Context pointer[0x3839000]
Aug 3 10:07:37	barnyard2	93492	OpSyslog_Alert(): Invoked with Packet[0x389dc00] Event[0x0] Event Type [0] Context pointer[0x3839000]

Additional info:
SG-4860 running pfSense 2.3.2-RELEASE (amd64)

Packages:

iftop	net-mgmt	0.17_2	Realtime interface monitor (console/shell only).	
Package Dependencies:
  iftop-1.0.p4 	

iperf	benchmarks	2.0.5.5_1	Iperf is a tool for testing network throughput, loss, and jitter.	
Package Dependencies:
  iperf-2.0.5 	

nmap	security	1.4.4_1	NMap is a utility for network exploration or security auditing.
Package Dependencies:
  nmap-7.12 	

openvpn-client-export	security	1.3.8	Allows a pre-configured OpenVPN Windows Client or Mac OS X's Viscosity configuration bundle to be exported directly from pfSense.	
Package Dependencies:
  zip-3.0_1 	  p7zip-15.14_1 	  openvpn-client-export-2.3.11 	

pfBlockerNG	net	2.1.1_2	pfBlockerNG is the Next Generation of pfBlocker.
Package Dependencies:
  whois-5.1.5 	  GeoIP-1.6.9 	  lighttpd-1.4.39_1 	  grepcidr-2.0 	  aggregate-1.6_1 	

snort	security	3.2.9.1_14	Snort is an open source network intrusion prevention and detection system (IDS/IPS). Combining the benefits of signature, protocol, and anomaly-based inspection.	
Package Dependencies:
  barnyard2-1.13 	  snort-2.9.8.3

If you want any more info, just ask.

Is this an error or just informational messages and most importantly. Can it be suppressed somehow?
Any help is much appreciated :)

Thank you.