[Snort-users] barnyard-0.1.0-beta5 and mysql

Michael Scheidell scheidell at ...5171...
Mon May 27 10:37:15 EDT 2002


just upgraded from snort 1.8.6 release to snort 1.8.7beta5 and
barnyard-0.1.0-beta5 and it doesn't seem to be logging to mysql database.

barnyard config:
./configure --enable-mysql

changed barnyard startup, added -X /var/run/by.pid (and by2.pid I run two
copies of barnyard, one for alerts, one for logs)

config.log seems to indicate it found and linked in mysql libraries:
config.log:configure:2574: gcc -o
conftest -g -O2 -Wall -I/usr/local/include/mysql  -DENABLE_MYSQL  -L/usr/loc
al/lib/mysql conftest.c -lmysqlclient   -lmysqlclient 1>&5

snort is working, (I guess) fast.alert shows entry, /var/log/snort shows
updates to waldo file and barnyard binary.

-rw-r--r--  1 root  security      32 May 27 13:15 waldo.log
-rw-r--r--  1 root  security   10034 May 27 13:15 log.1022519256

tcpdump -X of pcap shows offending packet. (so I know snort is sending
payload to barnyard, and barnyard is picking it up and sending it to pcap)

so, all it looks like is that barnyard is not sending to mysql anymore.

barnyard config:
config daemon
config hostname: localhost
config interface: LAN
config filter: not localhost
processor dp_log
processor dp_stream_stat
output log_pcap: /var/log/snort/pcap
output log_acid_db: mysql, sensor_id 1, database snort, server
localhost,user root, detail full

barnyard startup:
/usr/local/bin/barnyard -c /usr/local/etc/barnyard.conf -d /var/log/snort \
-f  log -L /var/log/snort -w /var/log/snort/waldo.log -a /var/log/snort/tmp
\
-X /var/run/by.pid -D

May 27 13:28:56 scanner barnyard: Loading Data Processors...
May 27 13:28:56 scanner barnyard: dp_alert loaded
May 27 13:28:56 scanner barnyard: dp_log loaded
May 27 13:28:56 scanner barnyard: dp_stream_stat loaded
May 27 13:28:56 scanner barnyard: Loading Built-in Output Plugins...
May 27 13:28:56 scanner barnyard: Fast Alert plugin initialized
May 27 13:28:56 scanner barnyard: AlertSyslog initialized
May 27 13:28:56 scanner barnyard: Log Dump plugin initialized
May 27 13:28:56 scanner barnyard: LogPcap initialized
May 27 13:28:56 scanner barnyard: AcidDb output plugin initialized
May 27 13:28:56 scanner barnyard: AlertCSV initialized
May 27 13:28:56 scanner barnyard: Parsing Config file:
/usr/local/etc/barnyard.$
May 27 13:28:56 scanner barnyard: Args: mysql, sensor_id 1, database snort,
server localhost, user root, detail full
May 27 13:28:56 scanner barnyard: Initializing daemon mode
May 27 13:28:56 scanner barnyard: Barnyard Version 0.1.0-beta5 (Build 8)
started


--
Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell at ...5171...
http://www.secnap.net





More information about the Snort-users mailing list