Snort barnyard2 crashes when attempting to enable sending alerts to bro
-
Hi, I've just started trying to send snort alerts to a Bro receiver on Security Onion. When I did so, I received this message:
barnyard2[12780]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_60190_em1/barnyard2.conf(39) Unknown output plugin: "alert_bro"
The only result I get searching for this is 3 years old and implies that an update should have fixed it.
Snort and pfsense are on the latest versions.
Also if you try to enable syslog output to a SecurityOnion syslog-ng receiver, the parser does not interpret the message correctly. This seems to be because the parser expects data preceding the first ':' char to be the PRI/header values. Snort syslog output from pfsense does not include any PRI/header information - it seems to send only the message. Is there any way of getting it to include a header?
-
I will take a look at this problem. I did not have a Bro setup to test with when I added that option.
Bill
-
Don't dig too deep just yet - I made an assumption that since I'd configured SO as a server, Bro would have been set up as a manager - not only was it not set up as such, it didn't seem to be running at all. I'm now scratching my head over how to get it working so I'll get back to you once I have something definitive on this front.
My apologies for having cried wolf :P
-
OK. Will hold off until you post back.
Bill
-
still open … and keeps crashing.
Either remove bro-ids from options of barnyard2 or try to fix it. Last would more the sufficient way.
Thanks