Snort mailing list archives
Re: Snort + barnyard2 + BASE
From: "Shenk, Jerry A" <jshenk () decommunications com>
Date: Sat, 24 Oct 2009 10:35:30 -0400
I'm having the exact same problem but I have unified2 set as the output processor. My waldo file seems to be working but it's not updating: Using waldo file '/etc/snort/barnyard.waldo': spool directory = /var/log/snort spool filebase = snort.log time_stamp = 1256243504 record_idx = 13 Barnyard2 is seeing that there are files to process: Opened spool file '/var/log/snort/snort.log.1256379065' Waiting for new data Closing spool file '/var/log/snort/snort.log.1256379065'. Read 40 records Opened spool file '/var/log/snort/snort.log.1256379948' Waiting for new data Closing spool file '/var/log/snort/snort.log.1256379948'. Read 13 records Opened spool file '/var/log/snort/snort.log.1256380242' Waiting for new data But, it never goes past waiting even if the file does get updated. Restarting barnyard2 will cause new records to be read in from the snort.log file. Barnyard does update the spool file that's being watched when snort is restarted. I tried adding syslog to barnyard just to separate mysql issues from barnyard but barnyard2 doesn't send syslog updates either...and I believe my syslog output is set correctly because I get "database: using the "alert" facility" when I start barnyard2. Here is my syslog output entry: output alert_syslog: -----Original Message----- From: Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com] Sent: Tuesday, September 22, 2009 12:21 PM To: James Chase; snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort + barnyard2 + BASE Hi, You should use the unified2 output preprocessor in Snort. -- Shawn -----Original Message----- From: James Chase [mailto:james () mandala-designs com] Sent: Tuesday, September 22, 2009 8:47 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort + barnyard2 + BASE Hi, I have successfully setup snort/barnyard/base before but I am now setting up a new sensor using barnyard2. I was able to confirm that everything is working by using barnyard but when I try and use barnyard2, I do not see any new events added via BASE. Here is my output in snort.conf: output alert_unified: filename snort.alert, limit 128 output log_unified: filename snort.log, limit 128 and I am running snort like so: /usr/sbin/snort -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort Here is my setup in barnyard2.conf: input unified2 output database: log, mysql, user=snort password=password dbname=snort host=localhost output database: alert, mysql, user=snort password=password dbname=snort host=localhost ##I did just have log, but when it wasn't working, I decided to try it with this output as well, like in barnayrd(1). running barnyard2 with these options: /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D I do not think the waldo file is working correctly, but that just tells barnyard2 where to start right? When barnyard2 starts up it sees the files but does not read any records from it and BASE does not show any new alerts. I've banged my head for awhile but am sure I missed something very simple? James ------------------------------------------------------------------------ ------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------ ------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users **DISCLAIMER This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business. ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort + barnyard2 + BASE Shenk, Jerry A (Oct 24)
- Re: Snort + barnyard2 + BASE Paul Schmehl (Oct 24)
- Re: Snort + barnyard2 + BASE Shenk, Jerry A (Oct 24)
- Re: Snort + barnyard2 + BASE Paul Schmehl (Oct 24)
- Re: Snort + barnyard2 + BASE Shenk, Jerry A (Oct 24)
- <Possible follow-ups>
- Re: Snort + barnyard2 + BASE Shenk, Jerry A (Oct 24)
- Re: Snort + barnyard2 + BASE Paul Schmehl (Oct 24)
- Re: Snort + barnyard2 + BASE Shenk, Jerry A (Oct 24)
- Re: Snort + barnyard2 + BASE firnsy (Oct 24)
- Re: Snort + barnyard2 + BASE Shenk, Jerry A (Oct 24)
- Re: Snort + barnyard2 + BASE firnsy (Oct 24)
- Re: Snort + barnyard2 + BASE Shenk, Jerry A (Oct 25)
- Re: Snort + barnyard2 + BASE Paul Schmehl (Oct 24)
- Re: Snort + barnyard2 + BASE Paul Schmehl (Oct 24)