[Snort-users] Problem with barnyard 0.2.0 and snort 2.4.0

eric-list-snort-users at ...11523... eric-list-snort-users at ...11523...
Sat Aug 20 12:09:03 EDT 2005


On Sat, 2005-08-20 at 13:38:16 -0500, Paul Schmehl proclaimed...

> Restart barnyard, but add -v to make it more verbose.  If that doesn't tell 
> you anything, then add a second or third v.

I've added 6 "-v" switches ... and removed the waldo file from the 
commandline entirely. This is what I get....

gw1$ /var/qmail/bin/barnyard -c /var/snort/etc/barnyard.conf \
  -d /var/snort/log -f snort.log -v -v -v -v -v -v

Barnyard Version 0.2.0 (Build 32)
Command line arguments:
  Config file:           /var/snort/etc/barnyard.conf
  Spool dir:             /var/snort/log
  Gen-msg file:          Not specified
  Sid-msg file:          Not specified
  Class file:            Not specified
  Log dir:               Not specified
  Archive dir:           Not specified
  File base:             snort.log
  Waldo file:            Not specified
  Pid file:              Not specified
  Verbosity level:       6
  Dry run flag:          Not Set
  Batch mode flag:       Not Set
  Daemon flag:           Not Set
  New records only flag: Not Set
  Usage flag:            Not Set
  Version flag:          Not Set
Config file variables:
  Hostname:        gw1
  Interface:       bridge0
  BPF Filter:      not port 22
  Class file:      /var/snort/etc/classification.config
  Sid-msg file:    /var/snort/etc/sid-msg.map
  Gen-msg file:    /var/snort/etc/gen-msg.map
  Daemon flag:     Not Set
  Localtime flag:  Set
Program Variables:
  Continual processing mode
  Config dir:    /var/snort/etc
  Config file:   /var/snort/etc/barnyard.conf
  Sid-msg file:  /var/snort/etc/sid-msg.map
  Gen-msg file:  /var/snort/etc/gen-msg.map
  Class file:    /var/snort/etc/classification.config
  Hostname:      gw1
  Interface:     bridge0
  BPF Filter:    not port 22
  Log dir:       /var/log/snort
  Verbosity:     6
  Localtime:     1
  Spool dir:     /var/snort/log
  Spool file:    snort.log
  Start at end:  0
Waiting for new spool file

A rule is then triggered, but the status above never changes.

> If you delete the waldo file, barnyard *should* reread all the log files 
> (giving you duplicates in your db.)  If it still isn't reading the 
> logfiles, then remove the waldo switch.  If it *still* won't load the 
> files, there's something wrong with the files.  Either they're not in 
> unified format or they're screwed up in a way that makes it impossible for 
> barnyard to parse them.
> 
> The waldo file should look something like this:
> 
> # less /usr/local/etc/waldo.file
> /var/log/snort/
> snort.log
> 1124382173
> 3138

My waldo file was null length.
> 
> Check to see if the snort log files are binary.  If they aren't then snort 
> isn't logging in unified format.

They're the following...

gw1$ file /var/snort/log/*
/var/snort/log/alert:                        ASCII text
/var/snort/log/snort-unified.log.1124485688: 8086 relocatable (Microsoft)
/var/snort/log/snort-unified.log.1124499689: 8086 relocatable (Microsoft)
/var/snort/log/snort-unified.log.1124510258: 8086 relocatable (Microsoft)
/var/snort/log/snort-unified.log.1124513157: 8086 relocatable (Microsoft)

> This wasn't intended to fix anything regarding your present problem.

I know, just mentioning :)

Thanks for the help so far.

- Eric




More information about the Snort-users mailing list