[Snort-users] Barnyard2 not inputting portscans (was Unified Logging - BASE - Portscans)

James Lay jlay at ...13475...
Wed Jul 27 09:27:30 EDT 2011


Heh..fail ;)

Jul 27 07:26:05 gateway barnyard2[30517]:         --== Initializing
Barnyard2 ==--
Jul 27 07:26:05 gateway barnyard2[30517]: Initializing Input Plugins!
Jul 27 07:26:05 gateway barnyard2[30517]: Initializing Output Plugins!
Jul 27 07:26:05 gateway barnyard2[30517]: Parsing config file
"/opt/etc/snort/barnyard2.conf"
Jul 27 07:26:09 gateway barnyard2[30517]: Log directory =
/var/log/barnyard2
Jul 27 07:26:09 gateway barnyard2[30517]: FATAL ERROR: Unified2Init():
Can't start with NULL arguments


Same setup/start line as previous banryard ;)

On 7/27/11 6:50 AM, "beenph" <beenph at ...11827...> wrote:

>On Wed, Jul 27, 2011 at 8:30 AM, James Lay <jlay at ...13475...>
>wrote:
>> Interesting....and guess what...barnyard2 doesn't seem to log portscan
>> data:
>>
>> Jul 26 20:34:39 gateway snort[4555]: [122:17:0] (portscan) UDP Portscan
>> [Priority: 3] {PROTO:255} 205.171.2.25 -> my.ext.ip
>>
>> A search for 205.171.2.25 came up empty....I think we have our issue.
>> Time to talk to firnsy mabye?
>>
>
>The only thing that barnyard2 is not logging should be
>EXTRADATA events.
>
>Now in barnyard2 1.10, the only issue i could see that would lead to
>your portscan not being reported is the spooler cache mechanism that
>will be removed in a future version since the spooler has been refactored.
>
>You can find a version of barnyard2 without the spooler cache and with
>spooler improvements @ https://github.com/binf/barnyard2.
>
>Let us know if this fix whats you are observing.
>
>Thanks
>-elz






More information about the Snort-users mailing list