Snort mailing list archives
Re: Barnyard2 startup issue
From: "Aycock, Jeff R." <JEFF.R.AYCOCK () saic com>
Date: Fri, 22 Jul 2011 11:46:33 -0400
Thanks, James. I did the mods and ran Barnyard2 again with another error, this time with mysql not being able to find the socket file: [root@10 ~]# Running in Continuous mode --== Initializing Barnyard2 ==-- Initializing Input Plugins! Initializing Output Plugins! Parsing config file "/etc/snort/barnyard2.conf" Log directory = /var/log/barnyard2 sguil: sensor name = sensor sguil: agent port = 7735 sguil: Connected to localhost on 7735. sguil: Waiting for sid and cid from sensor_agent. sguil: sensor ID = 4 sguil: last cid = 0 Node unique name is: sensor:eth0 ERROR: database: mysql_error: Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2) Fatal Error, Quitting.. The socket file is located in /var/lib/mysql so I guess my next question is how do I direct Barnyard to look for this file instead of /tmp/mysql.sock which does not exists in this box? Is there anything in the conf file that will do that? The my.cnf file is showing the correct location of the socket file for mysql client. I checked to see if Mysql is running: [root@10 ~]# service mysqld status mysqld.service - SYSV: MySQL database server. Loaded: loaded (/etc/rc.d/init.d/mysqld) Active: active (running) since Fri, 22 Jul 2011 09:16:35 -0400; 2h 25min ago Process: 1010 ExecStart=/etc/rc.d/init.d/mysqld start (code=exited, status=0/SUCCESS) Main PID: 1257 (mysqld) CGroup: name=systemd:/system/mysqld.service â 1049 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --socket=/var/lib/mysql/mysql.sock --pid-file=/var/run/mysqld/mysqld.pid --basedir=/usr --us... â 1257 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mysql/plugin --user=mysql --log-error=/var/log/mysqld.log --pi... [root@10 ~]# Am I missing something here? Thanks, Jeff -----Original Message----- From: James Lay [mailto:jlay () slave-tothe-box net] Sent: Friday, July 22, 2011 9:00 AM To: Aycock, Jeff R.; Snort Subject: Re: [Snort-users] Barnyard2 startup issue From: "Aycock, Jeff R." <JEFF.R.AYCOCK () saic com> Date: Fri, 22 Jul 2011 08:06:17 -0400 To: Snort <snort-users () lists sourceforge net> Subject: [Snort-users] Barnyard2 startup issue Running in Continuous mode --== Initializing Barnyard2 ==-- Initializing Input Plugins! Initializing Output Plugins! Parsing config file "/etc/snort/barnyard2.conf" ŠŠŠŠ ŠŠŠ.. sguil: Connected to localhost on 7735. ERROR: Connecton closed by client sguil: Connected to localhost on 7735. ERROR: Connecton closed by client sguil: Connected to localhost on 7735. ERROR: Connecton closed by client ŠŠŠŠ. ŠŠŠŠ Jeff, As much as I appreciated Sguils desire to go under a different user and what not, just for testing this thing out seemed like it tookover my already installed snort. Here's what I did to get (limited) success: Created dir /opt/bin/sguil and slapped all the executable scripts there Created dir /opt/etc/sguild and put all the sguild.* config files as well as the certs and lib dir, and autocat.conf Created dir /opt/etc/sguild_agants and put all the agent conf files in there sguild: total 64 -rw-r--r-- 1 root root 2167 2011-07-09 09:18 autocat.conf drwxr-xr-x 2 root root 4096 2011-07-09 14:35 certs drwxr-xr-x 2 root root 4096 2011-07-09 14:45 lib -rwxr-xr-x 1 root root 27498 2011-07-09 09:18 sguild -rw-r--r-- 1 root root 1286 2011-07-09 09:18 sguild.access -rw-r--r-- 1 root root 2669 2011-07-12 18:44 sguild.conf -rw-r--r-- 1 root root 2992 2011-07-09 09:18 sguild.email -rw-r--r-- 1 root root 789 2011-07-09 09:18 sguild.queries -rw-r--r-- 1 root root 2992 2011-07-09 09:18 sguild.reports -rw-r--r-- 1 root root 344 2011-07-09 09:18 sguild.users sguild_agents: total 28 -rw-r--r-- 1 root root 761 2011-07-10 08:38 example_agent.conf -rw-r--r-- 1 root root 961 2011-07-10 08:38 pads_agent.conf -rw-r--r-- 1 root root 1661 2011-07-10 08:38 pcap_agent.conf -rw-r--r-- 1 root root 1839 2011-07-10 08:38 pcap_agent-sancp.conf -rw-r--r-- 1 root root 1279 2011-07-10 08:38 sancp_agent.conf -rw-r--r-- 1 root root 896 2011-07-10 08:38 sancp-indexed.conf -rw-r--r-- 1 root root 1676 2011-07-12 19:01 snort_agent.conf I'd run all these in separate consoles in the foreground so you can see what's going on..change dir's to suite your needs: sudo /opt/bin/snort -i eth1 -c /opt/etc/snort/sguilsnort.conf sudo /opt/bin/sguil/sguild -c /opt/etc/snort/sguild/sguild.conf -C /opt/etc/snort/sguild/certs -a /opt/etc/snort/sguild/autocat.conf -g /opt/etc/snort/sguild/sguild.queries -A /opt/etc/snort/sguild/sguild.access sudo /opt/bin/sguil/snort_agent.tcl -c /opt/etc/snort/sguild_agents/snort_agent.conf sudo barnyard2 -c /opt/etc/snort/barnyard2.conf -d /var/log/snort -f sguil.u2 -w /var/log/snort/sguil.waldo Sguild.conf: set SGUILD_LIB_PATH /opt/etc/snort/sguild/lib set DEBUG 2 set DAEMON 0 set SYSLOGFACILITY daemon set SENSOR_AGGREGATION_ON 1 set SERVERPORT 7734 set SENSORPORT 7736 set RULESDIR /opt/etc/snort/rules set TMPDATADIR /tmp set DBNAME sguildb set DBPASS "yourpass" set DBHOST localhost set DBPORT 3306 set DBUSER sguil set LOCAL_LOG_DIR /var/log/snort/sguild_archive set TMP_LOAD_DIR /tmp/load set TCPFLOW "/usr/bin/tcpflow" set P0F 1 set P0F_PATH "/usr/sbin/p0f" sguild_agent.conf: set DEBUG 1 set DAEMON 0 set SERVER_HOST localhost set SERVER_PORT 7736 set BY_PORT 7735 set HOSTNAME gateway set NET_GROUP Ext_Net set LOG_DIR /var/log/snort set PORTSCAN 0 set PORTSCAN_DIR ${LOG_DIR}/portscans set SNORT_PERF_STATS 1 set SNORT_PERF_FILE "${LOG_DIR}/snort.stats" set WATCH_DIR ${LOG_DIR} set PS_CHECK_DELAY_IN_MSECS 10000 set DISK_CHECK_DELAY_IN_MSECS 1800000 set PING_DELAY 300000 barnyard2.conf config reference_file: /opt/etc/snort/reference.config config classification_file: /opt/etc/snort/classification.config config gen_file: /opt/etc/snort/gen-msg.map config sid_file: /opt/etc/snort/sid-msg.map config hostname: gateway config interface: eth1 input unified2 output alert_fast: stdout output sguil: agent_port=7735, sensor_name=gateway Sguilsnort.conf areas pertaining to sguil: preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt 10000 output alert_syslog: LOG_AUTH LOG_ALERT output alert_fast: /var/log/snort/sguil.fast output log_tcpdump: /var/log/snort/sguil.pcap output unified2: filename /var/log/snort/sguil.u2 Alas, even after the amazing PITA it was to have to manually compile all the tcl stuff (Ubuntu's tcl packages are all threaded, which sguil isn't) I still don't really run it....the tcl interface on a 2.93 Ghz Intel Core i7 Mac run slow as dirt. Good luck! James ------------------------------------------------------------------------------ 10 Tips for Better Web Security Learn 10 ways to better secure your business today. Topics covered include: Web security, SSL, hacker attacks & Denial of Service (DoS), private keys, security Microsoft Exchange, secure Instant Messaging, and much more. http://www.accelacomm.com/jaw/sfnl/114/51426210/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
Current thread:
- Barnyard2 startup issue Aycock, Jeff R. (Jul 22)
- Re: Barnyard2 startup issue James Lay (Jul 22)
- Re: Barnyard2 startup issue Aycock, Jeff R. (Jul 22)
- Re: Barnyard2 startup issue Lay, James (Jul 22)
- Re: Barnyard2 startup issue beenph (Jul 22)
- Re: Barnyard2 startup issue Aycock, Jeff R. (Jul 22)
- Re: Barnyard2 startup issue James Lay (Jul 22)