Snort mailing list archives

Re: barnyard not reading log files

From: Rajesh G S <rajeshgs () tevatel com>
Date: Thu, 5 Nov 2015 20:53:31 +0530

this is the output of barnyard2,

barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w
/var/log/snort/barnyard2.waldo -g snort -u snort
Running in Continuous mode

        --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"


+[ Signature Suppress list ]+
----------------------------
+[No entry in Signature Suppress List]+
----------------------------
+[ Signature Suppress list ]+

Barnyard2 spooler: Event cache size set to [2048]
Log directory = /var/log/barnyard2
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second

[CacheSynchronize()],INFO: No system was found in cache (from signature map
file), will not process or synchronize informations found in the database

database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database:           host = localhost
database:           user = snort
database:  database name = snort
database:    sensor name = snort:NULL
database:      sensor id = 1
database:     sensor cid = 11
database:  data encoding = hex
database:   detail level = full
database:     ignore_bpf = no
database: using the "log" facility

        --== Initialization Complete ==--

  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.14 (Build 336)
 |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
 + '''' +  (C) Copyright 2008-2013 Ian Firns <firnsy () securixlive com>

Using waldo file '/var/log/snort/barnyard2.waldo':
    spool directory = /var/log/snort
    spool filebase  = snort.u2
    time_stamp      = 1446725542
    record_idx      = 20
Opened spool file '/var/log/snort/snort.u2.1446725542'
Waiting for new data
^C*** Caught Int-Signal
Barnyard2 exiting
database: Closing connection to database "snort"
===============================================================================
Record Totals:
   Records:          20
   Events:          10 (50.000%)
   Packets:          10 (50.000%)
   Unknown:           0 (0.000%)
   Suppressed:           0 (0.000%)
===============================================================================
Packet breakdown by protocol (includes rebuilt packets):
      ETH: 10         (100.000%)
  ETHdisc: 0          (0.000%)
     VLAN: 0          (0.000%)
     IPV6: 0          (0.000%)
  IP6 EXT: 0          (0.000%)
  IP6opts: 0          (0.000%)
  IP6disc: 0          (0.000%)
      IP4: 10         (100.000%)
  IP4disc: 0          (0.000%)
    TCP 6: 0          (0.000%)
    UDP 6: 0          (0.000%)
    ICMP6: 0          (0.000%)
  ICMP-IP: 0          (0.000%)
      TCP: 0          (0.000%)
      UDP: 0          (0.000%)
     ICMP: 10         (100.000%)
  TCPdisc: 0          (0.000%)
  UDPdisc: 0          (0.000%)
  ICMPdis: 0          (0.000%)
     FRAG: 0          (0.000%)
   FRAG 6: 0          (0.000%)
      ARP: 0          (0.000%)
    EAPOL: 0          (0.000%)
  ETHLOOP: 0          (0.000%)
      IPX: 0          (0.000%)
    OTHER: 0          (0.000%)
  DISCARD: 0          (0.000%)
InvChkSum: 0          (0.000%)
   S5 G 1: 0          (0.000%)
   S5 G 2: 0          (0.000%)
    Total: 10
===============================================================================
Closing spool file '/var/log/snort/snort.u2.1446725542'. Read 20 records



in which i very much concerned about the line

[CacheSynchronize()],INFO: No system was found in cache (from signature map
file), will not process or synchronize informations found in the database


I don't know why it comes,can anyone guide me?

thanks,
with regards,
rajesh saibaba.


On Thu, Nov 5, 2015 at 8:46 PM, Rajesh G S <rajeshgs () tevatel com> wrote:

Hi all,

        I am trying to run snort as ids, i can see log files each time
being created when i testing snort but barnyard2 reads only the very first
time created log file.It skips the other alert cache.


[root@snort ~]# ll /var/log/snort/
total 36
-rw-r--r-- 1 snort snort 2056 Nov  5 17:46 barnyard2.waldo
-rw------- 1 snort snort  366 Nov  5 17:45 snort.log.1446725727
-rw------- 1 snort snort  384 Nov  5 17:47 snort.log.1446725842
-rw------- 1 snort snort  822 Nov  5 18:00 snort.log.1446726642
-rw------- 1 snort snort  936 Nov  5 20:06 snort.log.1446734162
-rw------- 1 snort snort  822 Nov  5 20:07 snort.log.1446734225
-rw------- 1 snort snort  708 Nov  5 20:07 snort.log.1446734260
-rw------- 1 snort snort 1050 Nov  5 20:32 snort.log.1446735742
-rw------- 1 snort snort 1940 Nov  5 17:42 snort.u2.1446725542

every time testing the snort it can able to show alerts but there is no
rise in the size of count.the count keep on show me as 10.

[root@snort ~]# mysql -u snort -p -D snort -e "select count(*) from
event"Enter password:
+----------+
| count(*) |
+----------+
|       10 |
+----------+

i think that there is no entry been made on to the mysql database,i am not
sure and i have no clue about it.so does anyone can help me?


thanks,
with regards.

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

barnyard not reading log files Rajesh G S (Nov 05)
- Re: barnyard not reading log files Rajesh G S (Nov 05)
- <Possible follow-ups>
- Re: barnyard not reading log files Rajesh G S (Nov 05)