[Snort-users] Barnyard not Updating MySQL

Someone.you dont.like maps.this.address at ...11827...
Sun Aug 28 08:12:21 EDT 2005 

Hi,

I am trying to get Barnyard to work in conjunction with Snort to
update to MySQL backend database. All three programs are run on a same
system (localhost) and I am using the following versions:

Barnyard : 
/usr/local/barnyard/bin/barnyard -V
Barnyard Version 0.2.0 (Build 32)

Snort:
/usr/local/snort/bin/snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.4.0 (Build 18)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2005 Sourcefire Inc., et al.

MySQL:
/usr/local/mysql/bin/mysql -V
/usr/local/mysql/bin/mysql  Ver 14.7 Distrib 4.1.13a, for pc-linux-gnu
(i686) using  EditLine wrapper

OS:
Slackware 10.1 (kernel 2.6.11.3)

When I configure Snort to update the database directly without
Barnyard, it "does" write accordingly in real time as I run portscan
or some other type attack that would trigger a rule. But when I
attempt to configure Barnyard to process the log files into the
database, I see no event table being updated (same type of attack,
i.e. Stealth SYN port scan...).

A few thing before I go on:
Snort, Barnyard, map, and classification files are under /etc/snort
Log files are under /var/log/snort

*****************
*      snort.conf     *
*****************
I have the following in my /etc/snort/snort.conf:
output alert_unified: filename snort-unified.alert, limit 128
output log_unified: filename snort-unified.log, limit 128

And the MySQL database line is "commented".

*********************
*      barnyard.conf     *
*********************
In /etc/snort/barnyard.conf I have:
config daemon
#config localtime
config hostname: localhost
config interface: bridge0
config filter: not port 22
output alert_fast
output log_dump
output alert_csv: csv.out
timestamp,msg,srcip,sport,dstip,dport,protoname,i\type,icode
output log_pcap
output log_acid_db: mysql, sensor_id 1, database snort, server
localhost, user snort, password [EDITED], detail full
output alert_acid_db: mysql, sensor_id 1, database snort, server
localhost, user snort, password [EDITED], detail full

The passwords are double and triple checked. They work with Snort and
MySQL commandline.

*******************
*     Snort exec        *
*******************
Here's how I run Snort:
/usr/local/snort/bin/snort -dev -u snort -q -c /etc/snort/snort.conf
-i eth0 -l /var/log/snort -D

**************************
*        Barnyard exec           *
**************************
And Barnyard:
/usr/local/barnyard/bin/barnyard -c /etc/snort/barnyard.conf -s
/etc/snort/sid-msg.map -g /etc/snort/gen-msg.map -p
/etc/snort/classification.config -d /var/log/snort/ -f
snort-unified.log -X /var/run/by.pid -w /etc/snort/waldo.file -v -v -v
-v -v -v -D

With the following screen output by Barnyard (verbose mode):
Barnyard Version 0.2.0 (Build 32)
Command line arguments:
  Config file:           /etc/snort/barnyard.conf
  Spool dir:             /var/log/snort/
  Gen-msg file:          /etc/snort/gen-msg.map
  Sid-msg file:          /etc/snort/sid-msg.map
  Class file:            /etc/snort/classification.config
  Log dir:               Not specified
  Archive dir:           Not specified
  File base:             snort-unified.log
  Waldo file:            /etc/snort/waldo.file
  Pid file:              /var/run/by.pid
  Verbosity level:       6
  Dry run flag:          Not Set
  Batch mode flag:       Not Set
  Daemon flag:           Set
  New records only flag: Not Set
  Usage flag:            Not Set
  Version flag:          Not Set
Config file variables:
  Hostname:        localhost
  Interface:       bridge0
  BPF Filter:      not port 22
  Class file:      Not specified
  Sid-msg file:    Not specified
  Gen-msg file:    Not specified
  Daemon flag:     Set
  Localtime flag:  Not Set
Program Variables:
  Continual processing mode
  Config dir:    /etc/snort
  Config file:   /etc/snort/barnyard.conf
  Sid-msg file:  /etc/snort/sid-msg.map
  Gen-msg file:  /etc/snort/gen-msg.map
  Class file:    /etc/snort/classification.config
  Hostname:      localhost
  Interface:     bridge0
  BPF Filter:    not port 22
  Log dir:       /var/log/snort
  Verbosity:     6
  Localtime:     0
  Spool dir:     /var/log/snort/
  Spool file:    snort.alert
  Pid file:      /var/run/by.pid
  Bookmark file: /etc/snort/waldo.file
  Record Number: 6
  Timet:         1125274341
  Start at end:  0

********************
*       waldo.file          *
********************
The content of waldo.file after startup of Barnyard is:
cat /etc/snort/waldo.file 
/var/log/snort/ 
snort.alert 
1125274341
6

**************************
*        /var/log/message       *
**************************
Aug 29 12:19:08 [EDITED] barnyard: Starting data processing using
information from bookmark file
Aug 29 12:19:08 [EDITED] barnyard: WARNING: Using spool file from bookmark file
Aug 29 12:19:09 [EDITED] barnyard[21484]: Initializing daemon mode
Aug 29 12:19:09 [EDITED] barnyard[21485]: Opened spool file
'/var/log/snort//snort.alert.1125274341'
Aug 29 12:19:09 [EDITED] barnyard[21485]: OpAlertFast configured
Aug 29 12:19:09 [EDITED] barnyard[21485]:   Filename: fast.alert
Aug 29 12:19:09 [EDITED] barnyard[21485]: OpAlertCSV configured
Aug 29 12:19:09 [EDITED] barnyard[21485]:   Filepath: csv.out
Aug 29 12:19:09 [EDITED] barnyard[21485]:   Format: timestamp, msg,
srcip, sport, dstip, dport, protoname, itype, icode
Aug 29 12:19:09 [EDITED] barnyard[21485]: Waiting for new data


The log files do get written to from what I see:
ls -la /var/log/snort/ 
total 126 drwxr-xr-x   3 snort snort   472 2005-08-29 12:14 ./
drwxr-xr-x  12 root  root   1576 2005-08-28 04:40 ../
drwx------   2 snort snort   112 2005-08-28 20:23 192.168.0.174/
-rw-------   1 snort snort 61144 2005-08-29 12:09 alert
-rw-r--r--   1 snort snort 10548 2005-08-29 12:07 fast.alert
-rw-------   1 snort snort   272 2005-08-29 12:15 snort-unified.alert.1125332058
-rw-------   1 snort snort   488 2005-08-29 12:15 snort-unified.log.1125332058
-rw-------   1 snort snort   400 2005-08-28 21:16 snort.alert.1125274341
-rw-------   1 snort snort  3848 2005-08-28 22:54 snort.log.1125280475
-rw-------   1 snort snort  5824 2005-08-28 23:37 snort.log.1125286059
-rw-------   1 snort snort  5128 2005-08-29 02:15 snort.log.1125292589
-rw-------   1 snort snort   488 2005-08-29 02:17 snort.log.1125296165
-rw-------   1 snort snort 16321 2005-08-29 12:09 snort.log.1125296354

 After portscan:
ls -la /var/log/snort/
total 126
drwxr-xr-x   3 snort snort   472 2005-08-29 12:14 ./
drwxr-xr-x  12 root  root   1576 2005-08-28 04:40 ../
drwx------   2 snort snort   112 2005-08-28 20:23 192.168.0.174/
-rw-------   1 snort snort 61144 2005-08-29 12:09 alert
-rw-r--r--   1 snort snort 10548 2005-08-29 12:07 fast.alert
-rw-------   1 snort snort   528 2005-08-29 12:18 snort-unified.alert.1125332058
-rw-------   1 snort snort   952 2005-08-29 12:18 snort-unified.log.1125332058
-rw-------   1 snort snort   400 2005-08-28 21:16 snort.alert.1125274341
-rw-------   1 snort snort  3848 2005-08-28 22:54 snort.log.1125280475
-rw-------   1 snort snort  5824 2005-08-28 23:37 snort.log.1125286059
-rw-------   1 snort snort  5128 2005-08-29 02:15 snort.log.1125292589
-rw-------   1 snort snort   488 2005-08-29 02:17 snort.log.1125296165
-rw-------   1 snort snort 16321 2005-08-29 12:09 snort.log.1125296354


The weird thing is the waldo.file shows snort.alert.1125274341. I do
not know whether that has something to do with it; please correct me
if I'm wrong. This is how I check the event table:
[Before portscan]:
mysql> select count(*) from event;
+----------+
| count(*) |
+----------+
|       60 |
+----------+
1 row in set (0.00 sec)

[A few minutes later after the portscan]
mysql> select count(*) from event;
+----------+
| count(*) |
+----------+
|       60 |
+----------+
1 row in set (0.00 sec)
 
In case of Snort only updating the database, I can actually see the
event table growing in real time.


Anyway, I've tried to run Snort and Barnyard with only log or alert
file updates, still Barnyard doesn't update the database. The sensor
id is 1:
mysql> select * from sensor;
+-----+---------------+-----------+--------+--------+----------+----------+
| sid | hostname      | interface | filter | detail | encoding | last_cid |
+-----+---------------+-----------+--------+--------+----------+----------+
|   1 | 192.168.2.134 | eth0      | NULL   |      1 |        0 |       56 |
+-----+---------------+-----------+--------+--------+----------+----------+
1 row in set (0.04 sec)

I have also tried sensor_id 0 and 2 in my barnyard.conf, no luck!

Ok, one last thing, the log files are indeed in unified format because
when I run Barnyard in batch mode, it process them accordingly and I
get:
/usr/local/barnyard/bin/barnyard -o -c /etc/snort/barnyard.conf -s
/etc/snort/sid-msg.map -g /etc/snort/gen-msg.map -p
/etc/snort/classification.config 
/var/log/snort/snort-unified.alert.1125332058
Barnyard Version 0.2.0 (Build 32)
Exiting
[user]@[somehost]:~/blah# ls
csv.out  fast.alert

I hope I pretty much covered everything that I could. Any ideas?

Any help would be much appreciated.

More information about the Snort-users mailing list