[Snort-users] Barnyard not populating opt table

David Humes delsasser001 at ...131...
Wed Oct 5 05:36:35 EDT 2005


I noticed that since installing Barnyard we're not
seeing any TCP options when viewing events with BASE. 
I checked the snort.opt table and sure enough it was
empty.  This was a fresh Snort/Barnyard install with
Barnyard running from the start.  I reconfigured Snort
to log directly to the database, and immediately
started seeing data in the opt table.  So, it's fairly
certain that the problem is with Barnyard or more
likely my configuration. 

Here's the config.

config daemon
config localtime
config hostname: ranger
config interface: eth1
config sid-msg-map:     /etc/snort/rules/sid-msg.map
config gen-msg-map:     /etc/snort/rules/gen-msg.map
config class-file:     
/etc/snort/rules/classification.config
output alert_acid_db: mysql, database snort, server
localhost, user snort, password snort, detail full
output log_acid_db: mysql, database snort, server
localhost, user snort, password snort, detail full

And here is how it's being started.

/usr/local/bin/barnyard -c
/etc/snort/barnyard/barnyard.conf -d /var/log/snort -f
snort.log -w /var/log/snort/waldo.barnyard -a
/var/log/snort/archive

Also, it has never been completely clear if the output
alert_acid_db line is necessary.  I have run Barnyard
without that line and it seemed to work fine execept
for the problem noted above.  It appears as though the
log files incorporate all of the information in the
alert files, so I would not think that it should be
necessary.

We're running Snort-2.4.2, Barnyard-0.2.0, and mysql
Ver 14.7 

Any assistance would be appreciated.  

--Dave


	
		
______________________________________________________ 
Yahoo! for Good 
Donate to the Hurricane Katrina relief effort. 
http://store.yahoo.com/redcross-donate3/ 





More information about the Snort-users mailing list