I've been trying to get the Bro-Barnyard2 integration working, and have been seeing a lot of segfaults. It looks like Snort/Suricata's internals are generating alerts with strange protocol numbers, and Bro will still segfault due to some issues with port handling in Broccoli (see: <http://tracker.bro-ids.org/bro/ticket/278>).
I've fixed the immediate issue on the Barnyard2 side of things, by only sending events with a protocol of TCP/UDP/ICMP. It seems to be working well for me. My changes are in: <https://github.com/grigorescu/barnyard2/commit/bdd0ef1afd74d23bec42c8c6b329449d5e323192>.I'd appreciate it if someone could take a quick look before I submit a pull request. Specifically, I'm worried about having introduced some memleaks by bailing out of the function early when bro_record_add_val fails. Of course, it'd also be awesome to get that underlying issue fixed. I've done some poking around but have had no luck so far. Thanks, --Vlad _______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
