Snort mailing list archives
Re: Problem with barnyard 0.2.0 and snort 2.4.0
From: eric-list-snort-users () catastrophe net
Date: Sat, 20 Aug 2005 14:08:02 -0500
On Sat, 2005-08-20 at 13:38:16 -0500, Paul Schmehl proclaimed...
Restart barnyard, but add -v to make it more verbose. If that doesn't tell you anything, then add a second or third v.
I've added 6 "-v" switches ... and removed the waldo file from the commandline entirely. This is what I get.... gw1$ /var/qmail/bin/barnyard -c /var/snort/etc/barnyard.conf \ -d /var/snort/log -f snort.log -v -v -v -v -v -v Barnyard Version 0.2.0 (Build 32) Command line arguments: Config file: /var/snort/etc/barnyard.conf Spool dir: /var/snort/log Gen-msg file: Not specified Sid-msg file: Not specified Class file: Not specified Log dir: Not specified Archive dir: Not specified File base: snort.log Waldo file: Not specified Pid file: Not specified Verbosity level: 6 Dry run flag: Not Set Batch mode flag: Not Set Daemon flag: Not Set New records only flag: Not Set Usage flag: Not Set Version flag: Not Set Config file variables: Hostname: gw1 Interface: bridge0 BPF Filter: not port 22 Class file: /var/snort/etc/classification.config Sid-msg file: /var/snort/etc/sid-msg.map Gen-msg file: /var/snort/etc/gen-msg.map Daemon flag: Not Set Localtime flag: Set Program Variables: Continual processing mode Config dir: /var/snort/etc Config file: /var/snort/etc/barnyard.conf Sid-msg file: /var/snort/etc/sid-msg.map Gen-msg file: /var/snort/etc/gen-msg.map Class file: /var/snort/etc/classification.config Hostname: gw1 Interface: bridge0 BPF Filter: not port 22 Log dir: /var/log/snort Verbosity: 6 Localtime: 1 Spool dir: /var/snort/log Spool file: snort.log Start at end: 0 Waiting for new spool file A rule is then triggered, but the status above never changes.
If you delete the waldo file, barnyard *should* reread all the log files (giving you duplicates in your db.) If it still isn't reading the logfiles, then remove the waldo switch. If it *still* won't load the files, there's something wrong with the files. Either they're not in unified format or they're screwed up in a way that makes it impossible for barnyard to parse them. The waldo file should look something like this: # less /usr/local/etc/waldo.file /var/log/snort/ snort.log 1124382173 3138
My waldo file was null length.
Check to see if the snort log files are binary. If they aren't then snort isn't logging in unified format.
They're the following... gw1$ file /var/snort/log/* /var/snort/log/alert: ASCII text /var/snort/log/snort-unified.log.1124485688: 8086 relocatable (Microsoft) /var/snort/log/snort-unified.log.1124499689: 8086 relocatable (Microsoft) /var/snort/log/snort-unified.log.1124510258: 8086 relocatable (Microsoft) /var/snort/log/snort-unified.log.1124513157: 8086 relocatable (Microsoft)
This wasn't intended to fix anything regarding your present problem.
I know, just mentioning :) Thanks for the help so far. - Eric ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problem with barnyard 0.2.0 and snort 2.4.0 eric-list-snort-users (Aug 19)
- Re: Problem with barnyard 0.2.0 and snort 2.4.0 Paul Schmehl (Aug 20)
- Re: Problem with barnyard 0.2.0 and snort 2.4.0 eric-list-snort-users (Aug 20)
- Re: Problem with barnyard 0.2.0 and snort 2.4.0 Paul Schmehl (Aug 20)
- Re: Problem with barnyard 0.2.0 and snort 2.4.0 eric-list-snort-users (Aug 20)
- Re: Problem with barnyard 0.2.0 and snort 2.4.0 eric-list-snort-users (Aug 20)
- Re: Problem with barnyard 0.2.0 and snort 2.4.0 eric-list-snort-users (Aug 20)
- Re: Problem with barnyard 0.2.0 and snort 2.4.0 eric-list-snort-users (Aug 20)
- Re: Problem with barnyard 0.2.0 and snort 2.4.0 Paul Schmehl (Aug 20)
- Re: Problem with barnyard 0.2.0 and snort 2.4.0 Paul Schmehl (Sep 19)