[Snort-users] new Barnyard new snortb

Chuck Holley cholley at ...11679...
Thu May 13 12:49:01 EDT 2004


I am getting this:
  
[root at ...11803... root]# barnyard -D -c /opt/barnyard-0.2.0/etc/barnyard.conf -w
/var/log/snort/_wald.log -f snort.log -X /var/run/barnyard.pid
Barnyard Version 0.2.0 (Build 32)
WARNING /opt/barnyard-0.2.0/etc/barnyard.conf(127) => Unknown output plugin
"log_acid_db" referenced, ignoring!Fatal Error, Quitting..

Any thoughts??


-----Original Message-----
From: Michael Anderson [mailto:mca at ...1717...] 
Sent: Wednesday, May 12, 2004 4:22 PM
To: Chuck Holley
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] new Barnyard new snortb

Be prepared, this response is long.

I've played with barnyard off and on but just recently decided to take 
the plunge and use it exclusively to log to a mysql database.  First you 
have to tell snort to write to a unified log file.  This is a binary 
file containing all of the alert information.  Then you need to set up 
barnyard to read the unified log file and then insert the alerts into 
the database.  To tell snort to write to the unified log file you need 
to set the following in snort.conf.
snort.conf:
output log_unified: filename snort.log, limit 128

This entry in the snort.conf file will tell snort to write unified alert 
info to the snort.log.<id> file.  The id is a timestamp to identify 
unique log files.  The limit of 128 is 128 MB.  Once this limit is 
reached, a new log file will be started.  You are responsible for 
getting rid of old log files.  The log files will be written to the 
/var/log/snort directory by default.

Next you need to set up barnyard to read the log files and load the data 
into a database.  I set up a barnyard.conf file that looks like:
barnyard.conf:
config localtime
output log_acid_db: mysql, database snort, server localhost, user 
snortuser, password snortpassword, sensor_id 1

The first config option tells  barnyard to use localtime for the alert 
timestamp.  The default is gmtime (that got me when I first started 
using barnyard).  The output line is similar to the output line in 
snort.conf.  Would have been nice if they kept the exact same format.   
You will of course need to change your user/password to your setup.

Next you need to launch snort and barnyard.  You shouldn't need to do 
anything different to launch snort.  Barnyard does have a few command 
line parameters that are important.  My invocation looks like:
barnyard -D -c barnyard.conf -w /var/log/snort/snort_waldo.log -f 
snort.log -X /var/run/barnyard.pid

The -D flag tells barnyard to run in daemon mode (i.e. in the 
background).  The -c flag indicates that you want to read a conf file.  
The -w flag says you want to maintain a waldo file.  A waldo file is a 
checkpoint file that tells barnyard which snort.log file it is reading 
and how many records have been read.  If you shut down barnyard and 
restart it, the waldo file will prevent you from reloading all of the 
previous alerts.  The -f flag tells barnyard the base name of the 
unified output file and the -X flag tells barnyard to write the pid of 
the daemon process to a file (this is not required but I have a cron 
script that checks to make sure everything is running).

Now comes a problem I found with barnyard 0.2.0.  If you have been using 
snort to log to a mysql database, all of the snort alerts are loaded 
into the signature table with the rev of the alert.  Barnyard will look 
in the signature table to see if one exists,  if not it will create a 
new signature entry.  The problem is barnyard will not use the rev from 
the incoming alert to find the entry in the signature table, barnyard 
uses a rev of 0.  Since there is no signature for the alert with a rev 
of 0, a new entry is created.  This in effect creates a duplicate 
signature with a new unique id so all of your old 'ICMP PING NMAP' 
alerts will not have the same id as your new alert.  I made the 
following modifications to fix this.  I emailed Andrew Baker about this 
problem but have not head back from him yet.  If you feel up to it the 
fixes are as follows:
diffs to op_acid_db.c
95c95
<         unsigned int priority);
---
 >         unsigned int priority, u_int32_t rev);
266c266
<             record->event.priority)) == 0)
---
 >             record->event.priority,record->event.sig_rev)) == 0)
357c357
<             record->log.event.priority)) == 0)
---
 >             record->log.event.priority,record->log.event.sig_rev)) == 0)
833c833
<         ClassType *class_type, unsigned int priority)
---
 >         ClassType *class_type, unsigned int priority, u_int32_t rev)
842c842
<     if(OpAcidDb_GetSigId(op_data, sid->msg, sid->rev, sid->sid, 
&sig_id) == 1)
---
 >     if(OpAcidDb_GetSigId(op_data, sid->msg, rev, sid->sid, &sig_id) 
== 1)
854c854
<             e_message, class_id, priority, sid->rev, sid->sid) < 
MAX_QUERY_SIZE)
---
 >             e_message, class_id, priority, rev, sid->sid) < 
MAX_QUERY_SIZE)
860c860
<             OpAcidDb_GetSigId(op_data, sid->msg, sid->rev, sid->sid, 
&sig_id);
---
 >             OpAcidDb_GetSigId(op_data, sid->msg, rev, sid->sid, &sig_id);

Hope this helps you get started.  Let me know if you have any other 
questions.

-Mike

Chuck Holley wrote:

>To be honest mike I am new to barnyard and really don't understand how this
>thing works with snort.  What do I need to do to get this thing to log. My
>current snort config ports everything into a Mysql database,, which of
>course is very slow because I have just about all the rules in and alerting
>on all of them.  I know its not getting all the traffic.
>
>How dod I go about tweaking snort to work with barnyard, mysql, and ACID.
I
>have only been running this IDS for about a month and just found out that I
>need to be using something like barnyard.  Your help would be much
>appreciated. 
>
>-----Original Message-----
>From: Michael Anderson [mailto:mca at ...1717...] 
>Sent: Wednesday, May 12, 2004 3:39 PM
>To: Chuck Holley
>Cc: snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] new Barnyard new snortb
>
>I am running snort 2.1.1 and barnyard 0.2.0.  I haven't tried snort 
>2.1.2 yet but I'm assuming the configuration would be the same.  What 
>type of problems are you having?
>
>-Mike
>
>Chuck Holley wrote:
>
>  
>
>>I have been trying to get info on how to use the new barnyard with the new
>>snort.  Has anyone done this successfully yet?  if so, how does it work
and
>>where do I go for some guidance on this.  Thanks 
>>
>>Chuck Holley
>>LAN Administrator
>>FitnessQuest Inc.
>>Canton, OH
>>cholley at ...11679...
>>
>>
>> 
>>
>>    
>>
>
>
>  
>







More information about the Snort-users mailing list