[Snort-users] Barnyard Issue

Jason Alexander lists at ...9901...
Sat Feb 19 19:05:17 EST 2005


All the sudden I'm having some issues with barnyard.  For quite some 
time I've been using it to take data from snort and pass it to my back 
end database/web server.  For some reason barnyard now is exiting when 
it attempts to process an alert.  I have not changed anything except to
apply patch for the box (RHEL3)

Here is my startup configuration.

/usr/sbin/barnyard -D \
-c /etc/snort/barnyardmain.conf \
-d /data/snort_output           \
-f snort_unified.log            \
-w /data/snort_output/main.waldo \
-s /etc/snort/sid-msg.map       \
-g /etc/snort/gen-msg.map       \
-X /var/lock/subsys/barnyardmain

I stepped up the -v to get some output

Feb 19 21:01:05 ids1 barnyard: No bookmark file found, processing all 
events
Feb 19 21:01:05 ids1 barnyard[9277]: Initializing daemon mode
Feb 19 21:01:05 ids1 barnyard[9278]: Opened spool file 
'/data/snort_output/snort_unified.log.1108867096'
Feb 19 21:01:05 ids1 barnyard: Barnyard Version 0.2.0 (Build 32)
Feb 19 21:01:05 ids1 barnyard[9278]: OpLogDump configured
Feb 19 21:01:05 ids1 barnyard[9278]:   Filename: dump.log
Feb 19 21:01:05 ids1 barnyard[9278]: OpAcidDB configured
Feb 19 21:01:05 ids1 barnyard[9278]:   Database Flavour: mysql
Feb 19 21:01:05 ids1 barnyard[9278]:   Detail Level: Full
Feb 19 21:01:05 ids1 barnyard[9278]:   Database Server: idsconsole
Feb 19 21:01:05 ids1 barnyard: Command line arguments:
Feb 19 21:01:05 ids1 barnyard[9278]:   Database User: ids1
Feb 19 21:01:05 ids1 barnyard:   Config file: 
/etc/snort/barnyardmain.conf
Feb 19 21:01:05 ids1 barnyard:   Spool dir:             /data/snort_output
Feb 19 21:01:05 ids1 barnyard:   Gen-msg file: 
/etc/snort/gen-msg.map
Feb 19 21:01:05 ids1 barnyard:   Sid-msg file: 
/etc/snort/sid-msg.map
Feb 19 21:01:05 ids1 barnyard:   Class file:            Not specified
Feb 19 21:01:05 ids1 barnyard:   Log dir:               Not specified
Feb 19 21:01:05 ids1 barnyard:   Archive dir:           Not specified
Feb 19 21:01:05 ids1 barnyard:   File base:             snort_unified.log
Feb 19 21:01:05 ids1 barnyard[9278]: sensor_id == 1
Feb 19 21:01:05 ids1 barnyard:   Waldo file: 
/data/snort_output/main.waldo
Feb 19 21:01:05 ids1 barnyard[9278]: SensorID: 1
Feb 19 21:01:05 ids1 barnyard:   Pid file: 
/var/lock/subsys/barnyardmain
Feb 19 21:01:05 ids1 barnyard[9278]: Next CID: 1
Feb 19 21:01:05 ids1 barnyard:   Verbosity level:       6
Feb 19 21:01:05 ids1 barnyard:   Dry run flag:          Not Set
Feb 19 21:01:05 ids1 barnyard:   Batch mode flag:       Not Set
Feb 19 21:01:05 ids1 barnyard:   Daemon flag:           Set
Feb 19 21:01:05 ids1 barnyard:   New records only flag: Not Set
Feb 19 21:01:05 ids1 barnyard:   Usage flag:            Not Set
Feb 19 21:01:05 ids1 barnyard:   Version flag:          Not Set
Feb 19 21:01:05 ids1 barnyard: Config file variables:
Feb 19 21:01:05 ids1 barnyard:   Hostname:        ids1
Feb 19 21:01:05 ids1 barnyard:   Interface:       eth1
Feb 19 21:01:05 ids1 barnyard:   BPF Filter:      Not specified
Feb 19 21:01:05 ids1 barnyard:   Class file:      Not specified
Feb 19 21:01:05 ids1 barnyard:   Sid-msg file:    Not specified
Feb 19 21:01:05 ids1 barnyard:   Gen-msg file:    Not specified
Feb 19 21:01:05 ids1 barnyard:   Daemon flag:     Set
Feb 19 21:01:05 ids1 barnyard:   Localtime flag:  Set
Feb 19 21:01:05 ids1 barnyard: Program Variables:
Feb 19 21:01:05 ids1 barnyard:   Continual processing mode
Feb 19 21:01:05 ids1 barnyard:   Config dir:    /etc/snort
Feb 19 21:01:05 ids1 barnyard:   Config file:   /etc/snort/barnyardmain.conf
Feb 19 21:01:05 ids1 barnyard:   Sid-msg file:  /etc/snort/sid-msg.map
Feb 19 21:01:05 ids1 barnyard:   Gen-msg file:  /etc/snort/gen-msg.map
Feb 19 21:01:05 ids1 barnyard:   Class file: 
/etc/snort/classification.config
Feb 19 21:01:05 ids1 barnyard:   Hostname:      ids1
Feb 19 21:01:05 ids1 barnyard:   Interface:     eth1
Feb 19 21:01:05 ids1 barnyard:   BPF Filter:
Feb 19 21:01:05 ids1 barnyard:   Log dir:       /var/log/snort
Feb 19 21:01:05 ids1 barnyard:   Verbosity:     6
Feb 19 21:01:05 ids1 barnyard:   Localtime:     1
Feb 19 21:01:05 ids1 barnyard:   Spool dir:     /data/snort_output
Feb 19 21:01:05 ids1 barnyard:   Spool file:    snort_unified.log
Feb 19 21:01:05 ids1 barnyard:   Pid file: 
/var/lock/subsys/barnyardmain
Feb 19 21:01:05 ids1 barnyard:   Bookmark file: 
/data/snort_output/main.waldo
Feb 19 21:01:05 ids1 barnyard:   Record Number: 0
Feb 19 21:01:05 ids1 barnyard:   Timet:         0
Feb 19 21:01:05 ids1 barnyard:   Start at end:  0
Feb 19 21:01:05 ids1 barnyard: barnyardmain startup succeeded



I've got so far as to drop the data base, recompile barnyard, reboot the 
sensors, reboot the database server.  I've looked at the traffice 
between the server and the sensor and it looks like a mysql session 
starts and then just dies in the middle.

I'm at a total loss. Anyone got any ideas.

Thanks
Jason





More information about the Snort-users mailing list