Snort mailing list archives
Re: Snort + barnyard2 + BASE
From: "Shenk, Jerry A" <jshenk () decommunications com>
Date: Sat, 24 Oct 2009 14:35:36 -0400
I just upgraded to barnyard2 1.7 beta 4 (I was on 1.6). I had to work through a few settings in the barnyard2.conf file as they don't quite match the comments. I also had to create a /var/log/barnyard2 but no log file is showing up there. Here's what my barnyard2.conf file has now: config reference_file: /etc/snort/reference.config config classification_file: /etc/snort/classification.config config gen_file: /etc/snort/gen-msg.map config sid_file: /etc/snort/sid-msg.map config interface: eth1 input unified2 output alert_syslog: output database: alert, mysql, user=snort password=password dbname=snort host=localhost -----Original Message----- From: Paul Schmehl [mailto:pschmehl_lists () tx rr com] Sent: Saturday, October 24, 2009 2:00 PM To: Shenk, Jerry A; snort-users () lists sourceforge net; James Chase Subject: Re: [Snort-users] Snort + barnyard2 + BASE First of all, if either of you are using barnyard2 version 1.6, you need to upgrade to the 1.7.3 beta. 1.6 does not correctly parse and use the waldo file, so every time you restart barnyard, it rereads all the existing log files and reinserts those records into the database. Jerry and James, how about posting your barnyard2,conf file. That appears to be where the problem is. A typical file should look like this: ********begin barnyard2.conf file************* config reference-map: /usr/local/etc/snort/reference.config config class-map: /usr/local/etc/snort/classification.config config gen-msg-map: /usr/local/etc/snort/gen-msg.map config sid-msg-map: /usr/local/etc/snort/sid-msg.map config hostname: myserver config interface: eth1 # Step 2: setup the input plugins input unified2 output database: log, mysql, user=user password=password dbname=snort host=localhost *********end barnyard2.conf file*************** The config settings eliminate the need to call those files from the commandline at startup, as you are doing James. -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map I note that you are not defining the classification.config file or the reference.config file on the commandline. That may be why you're not seeing any output. You can run barnyard2 -T to test your setup and see if there are errors, and you can add -v for more verbose output. Running this should tell you if something is wrong. barnyard2 -d /var/log/snort/ -f snort.u2 -w /var/log/snort/waldo.file -c /usr/local/etc/barnyard2.conf -T If you want to save the output just redirect it to a file --On October 24, 2009 9:35:30 AM -0500 "Shenk, Jerry A" <jshenk () decommunications com> wrote:
I'm having the exact same problem but I have unified2 set as the
output
processor. My waldo file seems to be working but it's not updating: Using waldo file '/etc/snort/barnyard.waldo': spool directory = /var/log/snort spool filebase = snort.log time_stamp = 1256243504 record_idx = 13 Barnyard2 is seeing that there are files to process: Opened spool file '/var/log/snort/snort.log.1256379065' Waiting for new data Closing spool file '/var/log/snort/snort.log.1256379065'. Read 40 records Opened spool file '/var/log/snort/snort.log.1256379948' Waiting for new data Closing spool file '/var/log/snort/snort.log.1256379948'. Read 13 records Opened spool file '/var/log/snort/snort.log.1256380242' Waiting for new data But, it never goes past waiting even if the file does get updated. Restarting barnyard2 will cause new records to be read in from the snort.log file. Barnyard does update the spool file that's being watched when snort is restarted. I tried adding syslog to barnyard just to separate mysql issues from barnyard but barnyard2 doesn't send syslog updates either...and I believe my syslog output is set correctly because I get "database:
using
the "alert" facility" when I start barnyard2. Here is my syslog output entry: output alert_syslog: -----Original Message----- From: Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com] Sent: Tuesday, September 22, 2009 12:21 PM To: James Chase; snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort + barnyard2 + BASE Hi, You should use the unified2 output preprocessor in Snort. -- Shawn -----Original Message----- From: James Chase [mailto:james () mandala-designs com] Sent: Tuesday, September 22, 2009 8:47 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort + barnyard2 + BASE Hi, I have successfully setup snort/barnyard/base before but I am now setting up a new sensor using barnyard2. I was able to confirm that everything is working by using barnyard but when I try and use barnyard2, I do not see any new events added via BASE. Here is my output in snort.conf: output alert_unified: filename snort.alert, limit 128 output log_unified: filename snort.log, limit 128 and I am running snort like so: /usr/sbin/snort -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort Here is my setup in barnyard2.conf: input unified2 output database: log, mysql, user=snort password=password dbname=snort host=localhost output database: alert, mysql, user=snort password=password
dbname=snort
host=localhost ##I did just have log, but when it wasn't working, I decided to try it with this output as well, like in barnayrd(1). running barnyard2 with these options: /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D I do not think the waldo file is working correctly, but that just
tells
barnyard2 where to start right? When barnyard2 starts up it sees the files but does not read any records from it and BASE does not show any new alerts. I've banged my head for awhile but am sure I missed something very simple? James
------------------------------------------------------------------------
------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart
your
developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------
------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart
your
developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users **DISCLAIMER This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and
may
contain information that is privileged, proprietary and confidential.
If
you are not the intended recipient, you may not use, copy or disclose
to
anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender
and
delete this e-mail message. The contents do not represent the opinion
of
D&E except to the extent that it relates to their official business.
------------------------------------------------------------------------
------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart
your
developing skills, take BlackBerry mobile applications to market and
stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Paul Schmehl, If it isn't already obvious, my opinions are my own and not those of my employer. ****************************************** WARNING: Check the headers before replying **DISCLAIMER This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business. ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort + barnyard2 + BASE Shenk, Jerry A (Oct 24)
- Re: Snort + barnyard2 + BASE Paul Schmehl (Oct 24)
- Re: Snort + barnyard2 + BASE Shenk, Jerry A (Oct 24)
- Re: Snort + barnyard2 + BASE Paul Schmehl (Oct 24)
- Re: Snort + barnyard2 + BASE Shenk, Jerry A (Oct 24)
- <Possible follow-ups>
- Re: Snort + barnyard2 + BASE Shenk, Jerry A (Oct 24)
- Re: Snort + barnyard2 + BASE Paul Schmehl (Oct 24)
- Re: Snort + barnyard2 + BASE Shenk, Jerry A (Oct 24)
- Re: Snort + barnyard2 + BASE firnsy (Oct 24)
- Re: Snort + barnyard2 + BASE Shenk, Jerry A (Oct 24)
- Re: Snort + barnyard2 + BASE firnsy (Oct 24)
- Re: Snort + barnyard2 + BASE Shenk, Jerry A (Oct 25)
- Re: Snort + barnyard2 + BASE firnsy (Oct 25)
- Re: Snort + barnyard2 + BASE Shenk, Jerry A (Oct 25)
- Re: Snort + barnyard2 + BASE Paul Schmehl (Oct 24)
- Re: Snort + barnyard2 + BASE Paul Schmehl (Oct 24)