[Snort-users] Having problem with Barnyard

JJC cummingsj at ...11827...
Wed Jun 23 20:00:33 EDT 2010


At quick glance it looks correct.. a few things:

   1. /dev/null your waldo file
   2. have you verified mysql permissions for the user specified in by2
   3. are you seeing your snort.log files increment as alerts are generated
   4. when you run by2 (not daemonized) does it say anything about reading
   spool files etc etc?


On Wed, Jun 23, 2010 at 5:57 PM, Nick Moore <nmoore at ...1935...> wrote:

> JJ,
>
> snort -i eth1 -c /etc/snort/snort.conf (pretty boring really)
>
> barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w
> /etc/snort/barnyard2.waldo
>
> Nick
>
>
> On Wed, Jun 23, 2010 at 6:50 PM, JJC <cummingsj at ...11827...> wrote:
>
>> What are your runtime options to start each snort and by2?
>>
>> On Wed, Jun 23, 2010 at 4:32 PM, Nick Moore <nmoore at ...1935...>wrote:
>>
>>> All,
>>>
>>> I'm having a problem with Barnyard putting data into MySQL. Snort is
>>> seeing events and the log file is increasing, but no events have yet been
>>> written to the database.
>>>
>>> I've attached my snort.conf and barnyard2.conf. Based on the Snort screen
>>> output below, I'm sure events are triggering:
>>>
>>>
>>> ===============================================================================
>>> Action Stats:
>>> ALERTS: 246
>>> LOGGED: 246
>>> PASSED: 0
>>> =====================
>>>
>>> I'm sure I'm overlooking something simple. If anyone can point me in the
>>> right direction, it would be much appreciated.
>>>
>>> Thanks!
>>>
>>> --
>>> Nick Moore, SFCE, CISSP, CISA
>>> Sr. Systems Engineer
>>> Voice 708-336-9041
>>> Email nick.moore at ...1935...
>>> IM    nickgmoore (Yahoo)
>>>       nickgmoore38 (AIM)
>>>
>>>    ,,_
>>>   o"  )~   Sourcefire - The Creators of Snort
>>>    ''''
>>>
>>> www.sourcefire.com         www.snort.org
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> ThinkGeek and WIRED's GeekDad team up for the Ultimate
>>> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
>>> lucky parental unit.  See the prize list and enter to win:
>>> http://p.sf.net/sfu/thinkgeek-promo
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>>
>
>
> --
> Nick Moore, SFCE, CISSP, CISA
> Sr. Systems Engineer
> Voice 708-336-9041
> Email nick.moore at ...1935...
> IM    nickgmoore (Yahoo)
>       nickgmoore38 (AIM)
>
>    ,,_
>   o"  )~   Sourcefire - The Creators of Snort
>    ''''
>
> www.sourcefire.com         www.snort.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100623/52f4d922/attachment.html>


More information about the Snort-users mailing list