[Snort-users] snort events not written by barnyard2 to snorby database

beenph beenph at ...11827...
Sat Jun 23 08:41:28 EDT 2012


On Sat, Jun 23, 2012 at 6:16 AM, Herbert Groot Jebbink
<herbert at ...15681...> wrote:
> Hi,

Greetings, Hebert.

use output unified2 instead of  output alert_unified2.

Also make sure you do not use -b or -A fast in your snort command line.

-elz


>
> I have setup snort, barnyard & snorby on a ubuntu 12.4 box, all seems
> ok, however the events generated by snort are not written to the mysql
> database.
>
> ---- below the setup in snort.conf
>
> output alert_unified2: filename alert, limit 128
>
> ----- below the barnyard2 config
>
> config reference_file:      /etc/snort/reference.config
> config classification_file: /etc/snort/classification.config
> config gen_file:            /etc/snort/gen-msg.map
> config sid_file:            /etc/snort/community-sid-msg.map
> config logdir: /var/log/barnyard2/
> config waldo_file: /var/log/barnyard2/barnyard2.waldo
> input unified2
> output alert_fast: stdout
> output database: log, mysql, user=snorby password=snorby dbname=snorby
> host=localhost
>
> ---- below the barnyard startup command in /etc/init.d/barnyard2
>
> barnyard2 -d /var/log/snort -f alert > /var/log/barnyard2/start.log 2>&1
>
> ---- below the stdout from above barnyard job
> ---------------------------------------------------
>
> Running in Continuous mode
>
>        --== Initializing Barnyard2 ==--
> Initializing Input Plugins!
> Initializing Output Plugins!
> Parsing config file "/etc/barnyard2.conf"
> Log directory = /var/log/barnyard2/
> database: compiled support for (mysql)
> database: configured to use mysql
> database: schema version = 107
> database:           host = localhost
> database:           user = snorby
> database:  database name = snorby
> database:    sensor name = gozo:NULL
> database:      sensor id = 1
> database:     sensor cid = 1
> database:  data encoding = hex
> database:   detail level = full
> database:     ignore_bpf = no
> database: using the "log" facility
>
>        --== Initialization Complete ==--
>
>  ______   -*> Barnyard2 <*-
>  / ,,_  \  Version 2.1.9 (Build 263)
>  |o"  )~|  By the SecurixLive.com Team: http://www.securixlive.com/about.php
>  + '''' +  (C) Copyright 2008-2010 SecurixLive.
>
>           Snort by Martin Roesch & The Snort Team:
> http://www.snort.org/team.html
>           (C) Copyright 1998-2007 Sourcefire Inc., et al.
>
> Using waldo file '/var/log/barnyard2/barnyard2.waldo':
>    spool directory = /var/log/snort
>    spool filebase  = alert
>    time_stamp      = 1340435023
>    record_idx      = 83
> Opened spool file '/var/log/snort/alert.1340435023'
> Waiting for new data
> ===============================================================================
> Record Totals:
>   Records:          320
>    Events:          320 (100.000%)
>   Packets:            0 (0.000%)
> ===============================================================================
> Packet breakdown by protocol (includes rebuilt packets):
>      ETH: 0          (0.000%)
>  ETHdisc: 0          (0.000%)
>     VLAN: 0          (0.000%)
>     IPV6: 0          (0.000%)
>  IP6 EXT: 0          (0.000%)
>  IP6opts: 0          (0.000%)
>  IP6disc: 0          (0.000%)
>      IP4: 0          (0.000%)
>  IP4disc: 0          (0.000%)
>    TCP 6: 0          (0.000%)
>    UDP 6: 0          (0.000%)
>    ICMP6: 0          (0.000%)
>  ICMP-IP: 0          (0.000%)
>      TCP: 0          (0.000%)
>      UDP: 0          (0.000%)
>     ICMP: 0          (0.000%)
>  TCPdisc: 0          (0.000%)
>  UDPdisc: 0          (0.000%)
>  ICMPdis: 0          (0.000%)
>     FRAG: 0          (0.000%)
>   FRAG 6: 0          (0.000%)
>      ARP: 0          (0.000%)
>    EAPOL: 0          (0.000%)
>  ETHLOOP: 0          (0.000%)
>      IPX: 0          (0.000%)
>    OTHER: 0          (0.000%)
>  DISCARD: 0          (0.000%)
> InvChkSum: 0          (0.000%)
>   S5 G 1: 0          (0.000%)
>   S5 G 2: 0          (0.000%)
>    Total: 0
> ===============================================================================
>
> Kind Regards, Herbert
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list