Snort mailing list archives
Re: Snort-users Digest, Vol 73, Issue 4
From: Michael Green <Michael.Green () gbst com>
Date: Wed, 6 Jun 2012 04:19:05 +0000
Pete
The mysql user is root and it is configured in my barnyard2.conf. I tried blowing away my waldo file and restarting
barnyard.
Jun 6 09:35:23 New-ids barnyard2[19072]: --== Initializing Barnyard2 ==--
Jun 6 09:35:23 New-ids barnyard2[19072]: Initializing Input Plugins!
Jun 6 09:35:23 New-ids barnyard2[19072]: Initializing Output Plugins!
Jun 6 09:35:23 New-ids barnyard2[19072]: Parsing config file "/etc/snort/p1p1/barnyard2.conf"
Jun 6 09:35:28 New-ids barnyard2[19072]: Log directory = /var/log/snort/p1p1
Jun 6 09:35:28 New-ids barnyard2[19072]: Initializing daemon mode
Jun 6 09:35:28 New-ids barnyard2[19072]: Daemon parent exiting
Jun 6 09:35:28 New-ids barnyard2[19074]: Daemon initialized, signaled parent pid: 19072
Jun 6 09:35:28 New-ids barnyard2[19074]: PID path stat checked out ok, PID path set to /var/run/
Jun 6 09:35:28 New-ids barnyard2[19074]: Writing PID "19074" to file "/var/run//barnyard2_p1p1.pid"
Jun 6 09:35:28 New-ids barnyard2[19074]: Last event seen for sid 1 was 0
Jun 6 09:35:28 New-ids barnyard2[19074]: database: compiled support for (mysql)
Jun 6 09:35:28 New-ids barnyard2[19074]: database: configured to use mysql
Jun 6 09:35:28 New-ids barnyard2[19074]: database: schema version = 107
Jun 6 09:35:28 New-ids barnyard2[19074]: database: host = 127.0.0.1
Jun 6 09:35:28 New-ids barnyard2[19074]: database: port = 3306
Jun 6 09:35:28 New-ids barnyard2[19074]: database: user = root
Jun 6 09:35:28 New-ids barnyard2[19074]: database: database name = snorby
Jun 6 09:35:28 New-ids barnyard2[19074]: database: sensor name = new-ids:p1p1
Jun 6 09:35:28 New-ids barnyard2[19074]: database: sensor id = 1
Jun 6 09:35:28 New-ids barnyard2[19074]: database: sensor cid = 1
Jun 6 09:35:28 New-ids barnyard2[19074]: database: data encoding = hex
Jun 6 09:35:28 New-ids barnyard2[19074]: database: detail level = full
Jun 6 09:35:28 New-ids barnyard2[19074]: database: ignore_bpf = no
Jun 6 09:35:28 New-ids barnyard2[19074]: database: using the "alert" facility
Jun 6 09:35:28 New-ids barnyard2[19074]:
Jun 6 09:35:28 New-ids barnyard2[19074]: --== Initialization Complete ==--
Jun 6 09:35:28 New-ids barnyard2[19074]: Barnyard2 initialization completed successfully (pid=19074)
Jun 6 09:35:28 New-ids barnyard2[19074]: WARNING: Unable to open waldo file '/var/log/snort/p1p1/waldo' (No such
file or directory)
Jun 6 09:35:28 New-ids barnyard2[19074]: Opened spool file '/var/log/snort/p1p1/snort.log.1338854746'
Jun 6 09:35:28 New-ids barnyard2[19074]: Closing spool file '/var/log/snort/p1p1/snort.log.1338854746'. Read 1
records
Jun 6 09:35:28 New-ids barnyard2[19074]: Opened spool file '/var/log/snort/p1p1/snort.log.1338857440'
Jun 6 09:35:28 New-ids barnyard2[19074]: Waiting for new data
As you can see it successfully opened the spool files and it recreated the waldo file, but still nothing in my mysql db!
Regards,
Michael
-----Original Message-----
From: Pete [mailto:magickal1 () gmail com]
Sent: Wednesday, 6 June 2012 12:57 AM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort-users Digest, Vol 73, Issue 4
make sure that you have added the remote sensor to the users in mysql. if the remote sensor is not added then you
will not see updates. if that is all there the other thing you can do is to blow away the waldo file and restart
snort/barnyard
Sent from my iPad
On Jun 4, 2012, at 11:29 PM, snort-users-request () lists sourceforge net<mailto:snort-users-request () lists
sourceforge net> wrote:
Send Snort-users mailing list submissions to snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net<mailto:snort-users-request () lists sourceforge net> You can reach the person managing the list at snort-users-owner () lists sourceforge net<mailto:snort-users-owner () lists sourceforge net> When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." When responding, please don't respond with the entire Digest. Please trim your response. Today's Topics: 1. Re: Barnyard2 not writting to Mysql snorby DB (Michael Green) ---------------------------------------------------------------------- Message: 1 Date: Tue, 5 Jun 2012 05:28:51 +0000 From: Michael Green <Michael.Green () gbst com<mailto:Michael.Green () gbst com>> Subject: Re: [Snort-users] Barnyard2 not writting to Mysql snorby DB To: 'Jan Seidl' <lists () heavyworks net<mailto:lists () heavyworks net>> Cc: "snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>" <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Message-ID: <EC681C4A4B384D49B9B1E9B5671860DE8AAB6D47 () MIL-MBX-1 gbst net<mailto:EC681C4A4B384D49B9B1E9B5671860DE8AAB6D47 () MIL-MBX-1 gbst net>> Content-Type: text/plain; charset="utf-8" Jan Yes I have alerts. I can see that because /var/log/snort/alert has alerts listed and /var/log/snort/p1p1/snort.log.1338857440 is growing. Regards, Michael From: Jan Seidl [mailto:lists () heavyworks net]<mailto:[mailto:lists () heavyworks net]> Sent: Tuesday, 5 June 2012 3:22 PM To: Michael Green Subject: Re: [Snort-users] Barnyard2 not writting to Mysql snorby DB Michael, Have you got any rules enabled? Did you made any action that could trigger an event? Under normal (safe) traffic, is normal to have no events. On 06/05/2012 01:17 AM, Michael Green wrote: [cid:image001.gif@01CD432F.E8DD17E0]<mailto:[cid:image001.gif@01CD432F.E8DD17E0]> Hi I?ve just configured snort Version 2.9.2.3 in a test environment in preparation for upgrading my production server. I have it configured for unified2 output and have barnyard2 configured to output to mysql: ## /etc/snort/p1p1/barnyard2.conf output database: log, mysql, user=xxx password=password dbname=snorby host=127.0.0.1 port=3306 My snort start command: /usr/local/bin/snort -u snort -g snort -i p1p1 -c /etc/snort/p1p1/snort.conf -D My barnyard2 start command: /usr/local/bin/barnyard2 -c /etc/snort/p1p1/barnyard2.conf -u snort -g snort -d /var/log/snort/p1p1 -f snort.log -w /var/log/snort/p1p1/waldo -D Snort is alerting: New-ids 13:37:02 /var/log/snort/p1p1 root # ls -la /var/log/snort/p1p1 total 24 drwxr-xr-x. 2 snort snort 4096 Jun 5 11:05 . drwxr-xr-x. 3 snort snort 4096 Jun 1 14:34 .. -rw-------. 1 snort snort 96 Jun 5 10:18 snort.log.1338854746 -rw-------. 1 snort snort 8011 Jun 5 12:43 snort.log.1338857440 -rw-r--r--. 1 snort snort 2056 Jun 5 12:43 waldo And Barnyard2 is seeing the alerts. Relevant section from /var/log/messages follows: Jun 5 11:14:30 New-ids barnyard2[1995]: database: using the "log" facility Jun 5 11:14:30 New-ids barnyard2[1995]: Jun 5 11:14:30 New-ids barnyard2[1995]: --== Initialization Complete ==-- Jun 5 11:14:30 New-ids barnyard2[1995]: Barnyard2 initialization completed successfully (pid=1995) Jun 5 11:14:30 New-ids barnyard2[1995]: Using waldo file '/var/log/snort/p1p1/waldo':#012 spool directory = /var/log/snort/p1p1#012 spool filebase = snort.log#012 time_stamp = 1338857440#012 record_idx = 0 Jun 5 11:14:30 New-ids barnyard2[1995]: Opened spool file '/var/log/snort/p1p1/snort.log.1338857440' Jun 5 11:14:30 New-ids barnyard2[1995]: Waiting for new data But nothing is being written to my mysql snorby DB? I can log into mysql using the required credentials mysql -u xxx -p snorby but nothing is written. mysql> select * from event; Empty set (0.00 sec) I?m now lost, and would appreciate some guidance. What should I do next? Regards, Michael ________________________________ Michael Green | Senior Network Engineer | GBST [Description: GBST]<http://www.gbst.com/> The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and / or privileged material that may be governed by confidential information provisions contained in the agreement between GBST and your company. Any disclosure, copying, distribution, or other use without the express consent of the sender is prohibited. If you received this in error, please contact the sender and delete the material from any computer. All rights in the information transmitted, including copyright, are reserved. Nothing in this message should be interpreted as a digital signature that can be used to authenticate a document. No warranty is given by the sender that any attachments to this email are free from viruses or other defects. ---------------------------------------------------------------------- -------- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users@lists.sourceforge<mailto:Snort-users () lists sourceforge net<mailto:Snort-users@lists.sourceforge> .net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and / or privileged material that may be governed by confidential information provisions contained in the agreement between GBST and your company. Any disclosure, copying, distribution, or other use without the express consent of the sender is prohibited. If you received this in error, please contact the sender and delete the material from any computer. All rights in the information transmitted, including copyright, are reserved. Nothing in this message should be interpreted as a digital signature that can be used to authenticate a document. No warranty is given by the sender that any attachments to this email are free from viruses or other defects. -------------- next part -------------- An HTML attachment was scrubbed... -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.gif Type: image/gif Size: 70 bytes Desc: image001.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.gif Type: image/gif Size: 1664 bytes Desc: image002.gif ------------------------------ ---------------------------------------------------------------------- -------- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest, Vol 73, Issue 4 ******************************************
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and / or privileged material that may be governed by confidential information provisions contained in the agreement between GBST and your company. Any disclosure, copying, distribution, or other use without the express consent of the sender is prohibited. If you received this in error, please contact the sender and delete the material from any computer. All rights in the information transmitted, including copyright, are reserved. Nothing in this message should be interpreted as a digital signature that can be used to authenticate a document. No warranty is given by the sender that any attachments to this email are free from viruses or other defects.
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort-users Digest, Vol 73, Issue 4 Pete (Jun 05)
- Re: Snort-users Digest, Vol 73, Issue 4 Michael Green (Jun 05)
- Re: Snort-users Digest, Vol 73, Issue 4 Michael Green (Jun 05)
- Re: Snort-users Digest, Vol 73, Issue 4 Michael Green (Jun 05)