[Snort-users] Having problem with Barnyard

Nick Moore nmoore at ...1935...
Wed Jun 23 21:08:46 EDT 2010


JJ,

1. OK, done. barnyard2 -w /dev/null. Hope this is what you meant. by2 starts
with a message saying "WARNING: Ignoring truncated/corrupt waldofile
'/dev/null'.
2. Looks pretty good:

mysql> show grants for 'snort'@'localhost';
+-------------------------------------------------------------------------------------+
| Grants for snort at ...274...
         |
+-------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'snort'@'localhost' IDENTIFIED BY PASSWORD
'5d2e19393cc5ef67' |
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE ON `snort`.* TO
'snort'@'localhost'
   |
+-------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

mysql>

3. Before:

[root at ...14908... snort]# ls -la /var/log/snort
total 104
drwxr-xr-x.  2 snort snort  4096 2010-06-23 11:34 .
drwxr-xr-x. 15 root  root   4096 2010-06-23 12:00 ..
-rw-------.  1 snort snort     0 2010-06-23 10:38 alert
-rw-------.  1 root  root      0 2010-06-23 11:06 merged.log
-rw-------.  1 root  root  96287 2010-06-23 14:12 snort.log
[root at ...14908... snort]#

After:

[root at ...14908... snort]# ls -la /var/log/snort
total 280
drwxr-xr-x.  2 snort snort   4096 2010-06-23 11:34 .
drwxr-xr-x. 15 root  root    4096 2010-06-23 12:00 ..
-rw-------.  1 snort snort      0 2010-06-23 10:38 alert
-rw-------.  1 root  root       0 2010-06-23 11:06 merged.log
-rw-------.  1 root  root  277755 2010-06-23 20:03 snort.log
[root at ...14908... snort]#

4. by2 says it is waiting for new spool files. Makes me think I'm doing
something wrong in my barnyard config.

Thanks,

Nick


On Wed, Jun 23, 2010 at 7:00 PM, JJC <cummingsj at ...11827...> wrote:

> At quick glance it looks correct.. a few things:
>
>    1. /dev/null your waldo file
>    2. have you verified mysql permissions for the user specified in by2
>    3. are you seeing your snort.log files increment as alerts are
>    generated
>    4. when you run by2 (not daemonized) does it say anything about reading
>    spool files etc etc?
>
>
> On Wed, Jun 23, 2010 at 5:57 PM, Nick Moore <nmoore at ...1935...> wrote:
>
>> JJ,
>>
>> snort -i eth1 -c /etc/snort/snort.conf (pretty boring really)
>>
>> barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w
>> /etc/snort/barnyard2.waldo
>>
>> Nick
>>
>>
>> On Wed, Jun 23, 2010 at 6:50 PM, JJC <cummingsj at ...11827...> wrote:
>>
>>> What are your runtime options to start each snort and by2?
>>>
>>> On Wed, Jun 23, 2010 at 4:32 PM, Nick Moore <nmoore at ...1935...>wrote:
>>>
>>>> All,
>>>>
>>>> I'm having a problem with Barnyard putting data into MySQL. Snort is
>>>> seeing events and the log file is increasing, but no events have yet been
>>>> written to the database.
>>>>
>>>> I've attached my snort.conf and barnyard2.conf. Based on the Snort
>>>> screen output below, I'm sure events are triggering:
>>>>
>>>>
>>>> ===============================================================================
>>>> Action Stats:
>>>> ALERTS: 246
>>>> LOGGED: 246
>>>> PASSED: 0
>>>> =====================
>>>>
>>>> I'm sure I'm overlooking something simple. If anyone can point me in the
>>>> right direction, it would be much appreciated.
>>>>
>>>> Thanks!
>>>>
>>>> --
>>>> Nick Moore, SFCE, CISSP, CISA
>>>> Sr. Systems Engineer
>>>> Voice 708-336-9041
>>>> Email nick.moore at ...1935...
>>>> IM    nickgmoore (Yahoo)
>>>>       nickgmoore38 (AIM)
>>>>
>>>>    ,,_
>>>>   o"  )~   Sourcefire - The Creators of Snort
>>>>    ''''
>>>>
>>>> www.sourcefire.com         www.snort.org
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> ThinkGeek and WIRED's GeekDad team up for the Ultimate
>>>> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
>>>> lucky parental unit.  See the prize list and enter to win:
>>>> http://p.sf.net/sfu/thinkgeek-promo
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>
>>>
>>
>>
>> --
>> Nick Moore, SFCE, CISSP, CISA
>> Sr. Systems Engineer
>> Voice 708-336-9041
>> Email nick.moore at ...1935...
>> IM    nickgmoore (Yahoo)
>>       nickgmoore38 (AIM)
>>
>>    ,,_
>>   o"  )~   Sourcefire - The Creators of Snort
>>    ''''
>>
>> www.sourcefire.com         www.snort.org
>>
>>
>


-- 
Nick Moore, SFCE, CISSP, CISA
Sr. Systems Engineer
Voice 708-336-9041
Email nick.moore at ...1935...
IM    nickgmoore (Yahoo)
      nickgmoore38 (AIM)

   ,,_
  o"  )~   Sourcefire - The Creators of Snort
   ''''

www.sourcefire.com         www.snort.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100623/24789a35/attachment.html>


More information about the Snort-users mailing list