Snort mailing list archives
Re: Barnyard2 not writting to Mysql snorby DB
From: Michael Green <Michael.Green () gbst com>
Date: Tue, 5 Jun 2012 05:28:51 +0000
Jan Yes I have alerts. I can see that because /var/log/snort/alert has alerts listed and /var/log/snort/p1p1/snort.log.1338857440 is growing. Regards, Michael From: Jan Seidl [mailto:lists () heavyworks net] Sent: Tuesday, 5 June 2012 3:22 PM To: Michael Green Subject: Re: [Snort-users] Barnyard2 not writting to Mysql snorby DB Michael, Have you got any rules enabled? Did you made any action that could trigger an event? Under normal (safe) traffic, is normal to have no events. On 06/05/2012 01:17 AM, Michael Green wrote: [cid:image001.gif@01CD432F.E8DD17E0] Hi I’ve just configured snort Version 2.9.2.3 in a test environment in preparation for upgrading my production server. I have it configured for unified2 output and have barnyard2 configured to output to mysql: ## /etc/snort/p1p1/barnyard2.conf output database: log, mysql, user=xxx password=password dbname=snorby host=127.0.0.1 port=3306 My snort start command: /usr/local/bin/snort -u snort -g snort -i p1p1 -c /etc/snort/p1p1/snort.conf -D My barnyard2 start command: /usr/local/bin/barnyard2 -c /etc/snort/p1p1/barnyard2.conf -u snort -g snort -d /var/log/snort/p1p1 -f snort.log -w /var/log/snort/p1p1/waldo -D Snort is alerting: New-ids 13:37:02 /var/log/snort/p1p1 root # ls -la /var/log/snort/p1p1 total 24 drwxr-xr-x. 2 snort snort 4096 Jun 5 11:05 . drwxr-xr-x. 3 snort snort 4096 Jun 1 14:34 .. -rw-------. 1 snort snort 96 Jun 5 10:18 snort.log.1338854746 -rw-------. 1 snort snort 8011 Jun 5 12:43 snort.log.1338857440 -rw-r--r--. 1 snort snort 2056 Jun 5 12:43 waldo And Barnyard2 is seeing the alerts. Relevant section from /var/log/messages follows: Jun 5 11:14:30 New-ids barnyard2[1995]: database: using the "log" facility Jun 5 11:14:30 New-ids barnyard2[1995]: Jun 5 11:14:30 New-ids barnyard2[1995]: --== Initialization Complete ==-- Jun 5 11:14:30 New-ids barnyard2[1995]: Barnyard2 initialization completed successfully (pid=1995) Jun 5 11:14:30 New-ids barnyard2[1995]: Using waldo file '/var/log/snort/p1p1/waldo':#012 spool directory = /var/log/snort/p1p1#012 spool filebase = snort.log#012 time_stamp = 1338857440#012 record_idx = 0 Jun 5 11:14:30 New-ids barnyard2[1995]: Opened spool file '/var/log/snort/p1p1/snort.log.1338857440' Jun 5 11:14:30 New-ids barnyard2[1995]: Waiting for new data But nothing is being written to my mysql snorby DB? I can log into mysql using the required credentials mysql -u xxx -p snorby but nothing is written. mysql> select * from event; Empty set (0.00 sec) I’m now lost, and would appreciate some guidance. What should I do next? Regards, Michael ________________________________ Michael Green | Senior Network Engineer | GBST [Description: GBST]<http://www.gbst.com/> The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and / or privileged material that may be governed by confidential information provisions contained in the agreement between GBST and your company. Any disclosure, copying, distribution, or other use without the express consent of the sender is prohibited. If you received this in error, please contact the sender and delete the material from any computer. All rights in the information transmitted, including copyright, are reserved. Nothing in this message should be interpreted as a digital signature that can be used to authenticate a document. No warranty is given by the sender that any attachments to this email are free from viruses or other defects. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and / or privileged material that may be governed by confidential information provisions contained in the agreement between GBST and your company. Any disclosure, copying, distribution, or other use without the express consent of the sender is prohibited. If you received this in error, please contact the sender and delete the material from any computer. All rights in the information transmitted, including copyright, are reserved. Nothing in this message should be interpreted as a digital signature that can be used to authenticate a document. No warranty is given by the sender that any attachments to this email are free from viruses or other defects.
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Barnyard2 not writting to Mysql snorby DB Michael Green (Jun 04)
- Message not available
- Re: Barnyard2 not writting to Mysql snorby DB Michael Green (Jun 04)
- Message not available