Snort mailing list archives

Barnyard not populating opt table

From: David Humes <delsasser001 () yahoo com>
Date: Tue, 4 Oct 2005 13:56:38 -0700 (PDT)

I noticed that since installing Barnyard we're not
seeing any TCP options when viewing events with BASE. 
I checked the snort.opt table and sure enough it was
empty.  This was a fresh Snort/Barnyard install with
Barnyard running from the start.  I reconfigured Snort
to log directly to the database, and immediately
started seeing data in the opt table.  So, it's fairly
certain that the problem is with Barnyard or more
likely my configuration. 

Here's the config.

config daemon
config localtime
config hostname: ranger
config interface: eth1
config sid-msg-map:     /etc/snort/rules/sid-msg.map
config gen-msg-map:     /etc/snort/rules/gen-msg.map
config class-file:     
/etc/snort/rules/classification.config
output alert_acid_db: mysql, database snort, server
localhost, user snort, password snort, detail full
output log_acid_db: mysql, database snort, server
localhost, user snort, password snort, detail full

And here is how it's being started.

/usr/local/bin/barnyard -c
/etc/snort/barnyard/barnyard.conf -d /var/log/snort -f
snort.log -w /var/log/snort/waldo.barnyard -a
/var/log/snort/archive

Also, it has never been completely clear if the output
alert_acid_db line is necessary.  I have run Barnyard
without that line and it seemed to work fine execept
for the problem noted above.  It appears as though the
log files incorporate all of the information in the
alert files, so I would not think that it should be
necessary.

We're running Snort-2.4.2, Barnyard-0.2.0, and mysql
Ver 14.7 

Any assistance would be appreciated.  

--Dave


        
                
______________________________________________________ 
Yahoo! for Good 
Donate to the Hurricane Katrina relief effort. 
http://store.yahoo.com/redcross-donate3/ 



-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Barnyard not populating opt table David Humes (Oct 05)
- Re: Barnyard not populating opt table David Humes (Oct 05)
  - Re: Barnyard not populating opt table Jeff Nathan (Oct 12)