Snort mailing list archives
Re: Snort & Barnyard
From: James <snort () cyclohexane net>
Date: Mon, 23 Dec 2013 15:35:53 +0000
Hi, Thanks for your reply. Yes, at least I think so, I'm running snort like this: /usr/sbin/snort -A fast -b -d -D -i eth1 -u snort -g snort -c /etc/snort/snort.conf -l /usr/local/snort/var/log/eth1 Starting barnyard without daemon mode shows this only: root@network08:/var/www/aanval/apps# barnyard2 -c /etc/snort/barnyard.conf -d /usr/local/snort/var/log/eth1 -w /usr/local/snort/var/log/eth1/barnyard2.waldo -l /usr/local/snort/var/log/eth1 -a /usr/local/snort/var/log/eth1/archive -f snort.log -X /var/lock/barnyard2-eth1.pid Running in Continuous mode --== Initializing Barnyard2 ==-- Initializing Input Plugins! Initializing Output Plugins! Parsing config file "/etc/snort/barnyard.conf" +[ Signature Suppress list ]+ ---------------------------- +[No entry in Signature Suppress List]+ ---------------------------- +[ Signature Suppress list ]+ Barnyard2 spooler: Event cache size set to [2048] Log directory = /usr/local/snort/var/log/eth1 INFO database: Defaulting Reconnect/Transaction Error limit to 10 INFO database: Defaulting Reconnect sleep time to 5 second [SignatureReferencePullDataStore()]: No Reference found in database ... database: compiled support for (mysql) database: configured to use mysql database: schema version = 107 database: host = localhost database: user = snort_user database: database name = snortdb database: sensor name = localhost:eth1 database: sensor id = 2 database: sensor cid = 1 database: data encoding = hex database: detail level = full database: ignore_bpf = no database: using the "log" facility --== Initialization Complete ==-- ______ -*> Barnyard2 <*- / ,,_ \ Version 2.1.13 (Build 327) |o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/ + '''' + (C) Copyright 2008-2013 Ian Firns <firnsy () securixlive com> Using waldo file '/usr/local/snort/var/log/eth1/barnyard2.waldo': spool directory = /usr/local/snort/var/log/eth1 spool filebase = snort.log time_stamp = 1387663189 record_idx = 0 Opened spool file '/usr/local/snort/var/log/eth1/snort.log.1387663189' Closing spool file '/usr/local/snort/var/log/eth1/snort.log.1387663189'. Read 0 records Opened spool file '/usr/local/snort/var/log/eth1/snort.log.1387811302' Waiting for new data If I then press ctrl-c it says it's seen 0 for every field. If it helps, this is the dir in question: root@network08:/var/www/ aanval/apps# ls -al /usr/local/snort/var/log/eth1/ total 98184 drwxr-xr-x 4 snort snort 4096 Dec 23 15:11 . drwxr-xr-x 4 snort snort 4096 Dec 21 22:27 .. -rw-r--r-- 1 snort snort 100383823 Dec 23 15:13 alert drwxr-xr-x 2 snort snort 4096 Dec 23 15:11 archive -rw------- 1 snort snort 2056 Dec 23 15:11 barnyard2.waldo -rw------- 1 snort snort 128173 Dec 23 15:13 snort.log.1387811302 If I tail the "alert" file, I see plenty of them occuring. Thanks James On 22 December 2013 23:29, Ayodele Okeowo <aymacro () gmail com> wrote:
When you ran snort did you use the ' console -A' switch? Also did you test tour barnyard without daemon? On Dec 22, 2013 6:04 PM, "James" <snort () cyclohexane net> wrote:Hi all, I've followed this guide: http://wiki.aanval.com/wiki/Community:Snort_2.9.2.3_Installation_Guide_for_Ubuntu_12.04,_with_Barnyard2,_Pulledpork,_and_Aanval but using the most current Snort + Barnyard and everything seems to have installed and start-up correctly, but I'm not seeing anything get logged into the MySQL database. There were a few mistakes in the guide, which I've managed to fix with a bit of Googling, but I can't seem to solve this. I realise you're probably going to need more information to be able to help, but don't know enough yet to guess what that might be. Can anyone help please? The alternative is I wipe it all and start again in the hope I just missed something stupid the first time, but hopefully someone could help me avoid that? Thanks James ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort & Barnyard James (Dec 22)
- Message not available
- Re: Snort & Barnyard James (Dec 23)
- Re: Snort & Barnyard Ayodele Okeowo (Dec 23)
- Re: Snort & Barnyard James (Dec 23)
- Message not available
- Message not available
- Re: Snort & Barnyard James Hodge (Dec 30)
- Re: Snort & Barnyard Ayodele Okeowo (Dec 30)
- Re: Snort & Barnyard James Hodge (Dec 30)