[Snort-users] Barnyard not populating opt table

Jeff Nathan jeff at ...950...
Wed Oct 12 09:58:12 EDT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

BY's a little stalled at present.  I suspect things will pick up.

There have been some commits more recently than 18 months ago, too.   
Just none to address this. :)

- -Jeff

On Oct 5, 2005, at 4:40 PM, David Humes wrote:

> So, it seems as though this is a feature of the
> current barnyard implementation.  I took a look at the
> op_acid_db.c source code for the output plugin and it
> clearly states that tcp and ip options are not
> handled.  I took a look at the CVS tree for barnyard
> and there are no updates to address this problem.
> Further, there is very little development activity for
> this project.  Most of the files have not been touched
> in 18 months.  It appears to be at best a stalled
> project, which makes me wonder if I should be
> deploying it on production sensors when there is no
> recent development or bug-fix work.  If anyone out
> there is more plugged-in on the future of barnyard,
> your inputs would be appreciated.
>
> Thanks.
>
> --Dave
>
>
> --- David Humes <delsasser001 at ...131...> wrote:
>
>
>> I noticed that since installing Barnyard we're not
>> seeing any TCP options when viewing events with
>> BASE.
>> I checked the snort.opt table and sure enough it was
>> empty.  This was a fresh Snort/Barnyard install with
>> Barnyard running from the start.  I reconfigured
>> Snort
>> to log directly to the database, and immediately
>> started seeing data in the opt table.  So, it's
>> fairly
>> certain that the problem is with Barnyard or more
>> likely my configuration.
>>
>> Here's the config.
>>
>> config daemon
>> config localtime
>> config hostname: ranger
>> config interface: eth1
>> config sid-msg-map:     /etc/snort/rules/sid-msg.map
>> config gen-msg-map:     /etc/snort/rules/gen-msg.map
>> config class-file:
>> /etc/snort/rules/classification.config
>> output alert_acid_db: mysql, database snort, server
>> localhost, user snort, password snort, detail full
>> output log_acid_db: mysql, database snort, server
>> localhost, user snort, password snort, detail full
>>
>> And here is how it's being started.
>>
>> /usr/local/bin/barnyard -c
>> /etc/snort/barnyard/barnyard.conf -d /var/log/snort
>> -f
>> snort.log -w /var/log/snort/waldo.barnyard -a
>> /var/log/snort/archive
>>
>> Also, it has never been completely clear if the
>> output
>> alert_acid_db line is necessary.  I have run
>> Barnyard
>> without that line and it seemed to work fine execept
>> for the problem noted above.  It appears as though
>> the
>> log files incorporate all of the information in the
>> alert files, so I would not think that it should be
>> necessary.
>>
>> We're running Snort-2.4.2, Barnyard-0.2.0, and mysql
>> Ver 14.7
>>
>> Any assistance would be appreciated.
>>
>> --Dave
>>
>>
>>
>>
>>
>>
> ______________________________________________________
>
>>
>> Yahoo! for Good
>> Donate to the Hurricane Katrina relief effort.
>> http://store.yahoo.com/redcross-donate3/
>>
>>
>>
>>
>>
> -------------------------------------------------------
>
>> This SF.Net email is sponsored by:
>> Power Architecture Resource Center: Free content,
>> downloads, discussions,
>> and more.
>> http://solutions.newsforge.com/ibmarch.tmpl
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or
>> unsubscribe:
>>
>>
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>> Snort-users list archive:
>>
>>
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>>
>>
>
>
>
>
> __________________________________
> Yahoo! Mail - PC Magazine Editors' Choice 2005
> http://mail.yahoo.com
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads,  
> discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>


- --
http://cerberus.sourcefire.com/~jeff       (DSA key id 6923D3FD)
"Not everything that is counted counts, and not everything that  
counts can be counted."   - Albert Einstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDTUBXEqr8+Gkj0/0RArYsAKCUp7Cg1P/tdEAJSECZ9e1BRzfJ1QCfc3G6
0M0Kk5hwLpCJU/Tnrnb9fO8=
=a3yt
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list