[Snort-users] Problems with Snort, Barnyard2, BASE on SUSE 11

Nick Moore nmoore at ...1935...
Wed Apr 28 17:52:18 EDT 2010


Also, are you using a waldo file with barnyard and can you send its
contents?

Nick

On Wed, Apr 28, 2010 at 2:04 PM, Michael Sloan <sloan at ...14851...> wrote:

> I've tried to set up Snort on SUSE Linux Enterprise Server 11, and have
> run into troubles. I think it might have been working at one point, but
> now i think it's stopped but I'm not sure, and not entirely sure I even
> compiled and configured everything correctly.
>
> I'm using Snort 2.8.5.3, Base 1.4.5, Barnyard2 1.8, and mySQL 5.0.67
>
> Barnyard2: compiled with --enable-mysql
>
> Snort: compiled with --enable-targetbased (I could not get --with-mysql
> to work, and didn't actually peruse the mailing lists until long after I
> got everything installed and possibly configured)
>
> In snort.conf:
>   output unified2: filename snort.log, limit 128
>
> In barnyard2.conf:
>   output database: alert, mysql, user=snort password=TopSecretPassword
> dbname=snort host=localhost
>
> mysql reports that the user snort at ...274... has
>   SELECT, INSERT, UPDATE, DELETE, CREATE on snort.*
>   SELECT, INSERT, UPDATE on snort.sensor
>
> Snort is started with:
>   /usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -d -D -u snort
>
> And barnyard2 is started with:
>   /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -D -d
> /var/log/snort
>     -f snort.log -u snort
>
> After a couple of weeks, I see that snort.log is 133k, but no alerts
> whatsoever have been displayed in BASE. BASE is showing the proper
> database name, and user.
>
> I see in /var/log/messages (after restarting snort and barnyard2 today)
> that barnyard2 read 706 records from the 133k file. I do not see any
> errors in the mysqld logs.
>
> I've looked at installation guides for SUSE 10, Fedora Core 11, and read
> enough from different sources that now I really have no idea what could
> be wrong and after spending quite a few hours on this over the course of
> the last few weeks, I've run out of ideas on what to tweak and change.
>
> Any suggestions or (or requests for further information needed) would be
> greatly appreciated.
>
>
> --
> Michael Sloan
> Systems Administrator
> FSU Center for Advanced Power Systems
> sloan at ...14851...
>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Nick Moore, SFCE, CISSP, CISA
Sr. Systems Engineer
Voice 708-336-9041
Email nick.moore at ...1935...
IM    nickgmoore (Yahoo)
      nickgmoore38 (AIM)

   ,,_
  o"  )~   Sourcefire - The Creators of Snort
   ''''

www.sourcefire.com         www.snort.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100428/e2337d4f/attachment.html>


More information about the Snort-users mailing list