[Snort-users] RE: Barnyard not inserting on ACID tables in MySQL, just regular

Pedro Fortuna pedro.fortuna at ...11827...
Thu Sep 2 02:01:04 EDT 2004


Hello again Dirk,

 You're right! I configured barnyard with the blank sb, removed the
"sensor_id" keyword, restarted barnyard, loaded ACID page, and there
they were, all the alerts I've have since I configured snort with
unified output module.


mmm.... another thing ... Currently i'm using this command to start barnyard:
$BARNYARD_PATH/barnyard -D -w barn.waldo -c /etc/snort/barnyard.conf
            -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -f snort.log

To get thinks well done, i guess I could add a couple of switches.
Do you recommend adding -n and -a ? I don't want barnyard duplicating
database entries between restarts.... exactly how barnyard handles
this?

Thanks for your prompt and wise answers :)
Pedro Fortuna

On Thu, 02 Sep 2004 09:55:50 +0200, Dirk Geschke <dirk_geschke at ...1344...> wrote:
> Hi Pedro,
> 
> > I've just took a peek at my two "blank" snort databases that I
> > attempted to get working with barnyard, and this is strange... but the
> > sensor table is completly empty in both..... so, there couldn't be a
> > last_cid field... this means that barnyard fails to create new sensor
> > entrys... anyway, it seems there's a bug laying here in barnyard...
> 
> I think there is a problem with the sensor_id keyword in barnyard.
> If this is set then barnyard tries to get the information for this
> sensor from the database. But if this sensor does not exist then
> he will stop working instead of inserting it.
> 
> If you use "sensor_id" then remove this entry form the output log_acid_db
> line and try it again...
> 
> Best regards
> 
> Dirk
> 
>




More information about the Snort-users mailing list