[Snort-users] Barnyard not Updating MySQL
Someone.you dont.like
maps.this.address at ...11827...
Sun Aug 28 08:12:21 EDT 2005
Hi,
I am trying to get Barnyard to work in conjunction with Snort to
update to MySQL backend database. All three programs are run on a same
system (localhost) and I am using the following versions:
Barnyard :
/usr/local/barnyard/bin/barnyard -V
Barnyard Version 0.2.0 (Build 32)
Snort:
/usr/local/snort/bin/snort -V
,,_ -*> Snort! <*-
o" )~ Version 2.4.0 (Build 18)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2005 Sourcefire Inc., et al.
MySQL:
/usr/local/mysql/bin/mysql -V
/usr/local/mysql/bin/mysql Ver 14.7 Distrib 4.1.13a, for pc-linux-gnu
(i686) using EditLine wrapper
OS:
Slackware 10.1 (kernel 2.6.11.3)
When I configure Snort to update the database directly without
Barnyard, it "does" write accordingly in real time as I run portscan
or some other type attack that would trigger a rule. But when I
attempt to configure Barnyard to process the log files into the
database, I see no event table being updated (same type of attack,
i.e. Stealth SYN port scan...).
A few thing before I go on:
Snort, Barnyard, map, and classification files are under /etc/snort
Log files are under /var/log/snort
*****************
* snort.conf *
*****************
I have the following in my /etc/snort/snort.conf:
output alert_unified: filename snort-unified.alert, limit 128
output log_unified: filename snort-unified.log, limit 128
And the MySQL database line is "commented".
*********************
* barnyard.conf *
*********************
In /etc/snort/barnyard.conf I have:
config daemon
#config localtime
config hostname: localhost
config interface: bridge0
config filter: not port 22
output alert_fast
output log_dump
output alert_csv: csv.out
timestamp,msg,srcip,sport,dstip,dport,protoname,i\type,icode
output log_pcap
output log_acid_db: mysql, sensor_id 1, database snort, server
localhost, user snort, password [EDITED], detail full
output alert_acid_db: mysql, sensor_id 1, database snort, server
localhost, user snort, password [EDITED], detail full
The passwords are double and triple checked. They work with Snort and
MySQL commandline.
*******************
* Snort exec *
*******************
Here's how I run Snort:
/usr/local/snort/bin/snort -dev -u snort -q -c /etc/snort/snort.conf
-i eth0 -l /var/log/snort -D
**************************
* Barnyard exec *
**************************
And Barnyard:
/usr/local/barnyard/bin/barnyard -c /etc/snort/barnyard.conf -s
/etc/snort/sid-msg.map -g /etc/snort/gen-msg.map -p
/etc/snort/classification.config -d /var/log/snort/ -f
snort-unified.log -X /var/run/by.pid -w /etc/snort/waldo.file -v -v -v
-v -v -v -D
With the following screen output by Barnyard (verbose mode):
Barnyard Version 0.2.0 (Build 32)
Command line arguments:
Config file: /etc/snort/barnyard.conf
Spool dir: /var/log/snort/
Gen-msg file: /etc/snort/gen-msg.map
Sid-msg file: /etc/snort/sid-msg.map
Class file: /etc/snort/classification.config
Log dir: Not specified
Archive dir: Not specified
File base: snort-unified.log
Waldo file: /etc/snort/waldo.file
Pid file: /var/run/by.pid
Verbosity level: 6
Dry run flag: Not Set
Batch mode flag: Not Set
Daemon flag: Set
New records only flag: Not Set
Usage flag: Not Set
Version flag: Not Set
Config file variables:
Hostname: localhost
Interface: bridge0
BPF Filter: not port 22
Class file: Not specified
Sid-msg file: Not specified
Gen-msg file: Not specified
Daemon flag: Set
Localtime flag: Not Set
Program Variables:
Continual processing mode
Config dir: /etc/snort
Config file: /etc/snort/barnyard.conf
Sid-msg file: /etc/snort/sid-msg.map
Gen-msg file: /etc/snort/gen-msg.map
Class file: /etc/snort/classification.config
Hostname: localhost
Interface: bridge0
BPF Filter: not port 22
Log dir: /var/log/snort
Verbosity: 6
Localtime: 0
Spool dir: /var/log/snort/
Spool file: snort.alert
Pid file: /var/run/by.pid
Bookmark file: /etc/snort/waldo.file
Record Number: 6
Timet: 1125274341
Start at end: 0
********************
* waldo.file *
********************
The content of waldo.file after startup of Barnyard is:
cat /etc/snort/waldo.file
/var/log/snort/
snort.alert
1125274341
6
**************************
* /var/log/message *
**************************
Aug 29 12:19:08 [EDITED] barnyard: Starting data processing using
information from bookmark file
Aug 29 12:19:08 [EDITED] barnyard: WARNING: Using spool file from bookmark file
Aug 29 12:19:09 [EDITED] barnyard[21484]: Initializing daemon mode
Aug 29 12:19:09 [EDITED] barnyard[21485]: Opened spool file
'/var/log/snort//snort.alert.1125274341'
Aug 29 12:19:09 [EDITED] barnyard[21485]: OpAlertFast configured
Aug 29 12:19:09 [EDITED] barnyard[21485]: Filename: fast.alert
Aug 29 12:19:09 [EDITED] barnyard[21485]: OpAlertCSV configured
Aug 29 12:19:09 [EDITED] barnyard[21485]: Filepath: csv.out
Aug 29 12:19:09 [EDITED] barnyard[21485]: Format: timestamp, msg,
srcip, sport, dstip, dport, protoname, itype, icode
Aug 29 12:19:09 [EDITED] barnyard[21485]: Waiting for new data
The log files do get written to from what I see:
ls -la /var/log/snort/
total 126 drwxr-xr-x 3 snort snort 472 2005-08-29 12:14 ./
drwxr-xr-x 12 root root 1576 2005-08-28 04:40 ../
drwx------ 2 snort snort 112 2005-08-28 20:23 192.168.0.174/
-rw------- 1 snort snort 61144 2005-08-29 12:09 alert
-rw-r--r-- 1 snort snort 10548 2005-08-29 12:07 fast.alert
-rw------- 1 snort snort 272 2005-08-29 12:15 snort-unified.alert.1125332058
-rw------- 1 snort snort 488 2005-08-29 12:15 snort-unified.log.1125332058
-rw------- 1 snort snort 400 2005-08-28 21:16 snort.alert.1125274341
-rw------- 1 snort snort 3848 2005-08-28 22:54 snort.log.1125280475
-rw------- 1 snort snort 5824 2005-08-28 23:37 snort.log.1125286059
-rw------- 1 snort snort 5128 2005-08-29 02:15 snort.log.1125292589
-rw------- 1 snort snort 488 2005-08-29 02:17 snort.log.1125296165
-rw------- 1 snort snort 16321 2005-08-29 12:09 snort.log.1125296354
After portscan:
ls -la /var/log/snort/
total 126
drwxr-xr-x 3 snort snort 472 2005-08-29 12:14 ./
drwxr-xr-x 12 root root 1576 2005-08-28 04:40 ../
drwx------ 2 snort snort 112 2005-08-28 20:23 192.168.0.174/
-rw------- 1 snort snort 61144 2005-08-29 12:09 alert
-rw-r--r-- 1 snort snort 10548 2005-08-29 12:07 fast.alert
-rw------- 1 snort snort 528 2005-08-29 12:18 snort-unified.alert.1125332058
-rw------- 1 snort snort 952 2005-08-29 12:18 snort-unified.log.1125332058
-rw------- 1 snort snort 400 2005-08-28 21:16 snort.alert.1125274341
-rw------- 1 snort snort 3848 2005-08-28 22:54 snort.log.1125280475
-rw------- 1 snort snort 5824 2005-08-28 23:37 snort.log.1125286059
-rw------- 1 snort snort 5128 2005-08-29 02:15 snort.log.1125292589
-rw------- 1 snort snort 488 2005-08-29 02:17 snort.log.1125296165
-rw------- 1 snort snort 16321 2005-08-29 12:09 snort.log.1125296354
The weird thing is the waldo.file shows snort.alert.1125274341. I do
not know whether that has something to do with it; please correct me
if I'm wrong. This is how I check the event table:
[Before portscan]:
mysql> select count(*) from event;
+----------+
| count(*) |
+----------+
| 60 |
+----------+
1 row in set (0.00 sec)
[A few minutes later after the portscan]
mysql> select count(*) from event;
+----------+
| count(*) |
+----------+
| 60 |
+----------+
1 row in set (0.00 sec)
In case of Snort only updating the database, I can actually see the
event table growing in real time.
Anyway, I've tried to run Snort and Barnyard with only log or alert
file updates, still Barnyard doesn't update the database. The sensor
id is 1:
mysql> select * from sensor;
+-----+---------------+-----------+--------+--------+----------+----------+
| sid | hostname | interface | filter | detail | encoding | last_cid |
+-----+---------------+-----------+--------+--------+----------+----------+
| 1 | 192.168.2.134 | eth0 | NULL | 1 | 0 | 56 |
+-----+---------------+-----------+--------+--------+----------+----------+
1 row in set (0.04 sec)
I have also tried sensor_id 0 and 2 in my barnyard.conf, no luck!
Ok, one last thing, the log files are indeed in unified format because
when I run Barnyard in batch mode, it process them accordingly and I
get:
/usr/local/barnyard/bin/barnyard -o -c /etc/snort/barnyard.conf -s
/etc/snort/sid-msg.map -g /etc/snort/gen-msg.map -p
/etc/snort/classification.config
/var/log/snort/snort-unified.alert.1125332058
Barnyard Version 0.2.0 (Build 32)
Exiting
[user]@[somehost]:~/blah# ls
csv.out fast.alert
I hope I pretty much covered everything that I could. Any ideas?
Any help would be much appreciated.
More information about the Snort-users
mailing list