[Snort-users] Fwd: Re: barnyard2-1.10 major problem

Lawrence R. Hughes, Sr. lhughes at ...14822...
Thu Oct 25 11:57:00 EDT 2012


Beenph,

So what I see and correct me if I am wrong, you take a single event from 
snort that has 2 packets and create 2 seperate events in the database.

So if i had a single event from snort that has 6 packets that are all listed 
with the same event_id barnyard would create 6 events in snort.event 
database correct?

If this is the case, please explain why you would break the packets from a 
single event into several events.

Thanks,
Larry

----- Original Message ----- 
From: "beenph" <beenph at ...11827...>
To: "Lawrence R. Hughes, Sr." <lhughes at ...14822...>
Cc: <barnyard2-users at ...14071...>; "snort-users" 
<snort-users at lists.sourceforge.net>
Sent: Thursday, October 25, 2012 11:40 AM
Subject: Re: [Snort-users] Fwd: Re: barnyard2-1.10 major problem


On Thu, Oct 25, 2012 at 10:53 AM, Lawrence R. Hughes, Sr.
<lhughes at ...14822...> wrote:
> Yes, I stopped barnyard2, deleted all events from database, deleted
> snort.waldo file, next restarted snort & barnyard2
>
> I attached barnyard2.conf file

Well i am not seeing the same output.

mysql> select count(*) from event;
+----------+
| count(*) |
+----------+
|        0 |
+----------+
1 row in set (0.00 sec)


root at ...15894...:~/BY/Test# ./barnyard2 --alert-on-each-packet-in-stream  -w
./waldo -f snort.log -d ./log/
Running in Continuous mode

        --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "./barnyard2.conf"
Log directory = /root/BY/Test/log
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid)
FROM event WHERE sid='35';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid)
FROM icmphdr WHERE sid='35';]
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database:           host = localhost
database:           user = barnyard2
database:  database name = elz
database:    sensor name = tho:eth0xdd
database:      sensor id = 35
database:     sensor cid = 6577
database:  data encoding = hex
database:   detail level = full
database:     ignore_bpf = no
database: using the "log" facility

        --== Initialization Complete ==--

  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.10 (Build 313)
 |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
 + '''' +  (C) Copyright 2008-2012 Ian Firns <firnsy at ...14568...>

WARNING: Unable to open waldo file './waldo' (No such file or directory)
Opened spool file './log//snort.log.1350901409'
Waiting for new data

mysql> select count(*) from event;
+----------+
| count(*) |
+----------+
|        2 |
+----------+
1 row in set (0.00 sec)

mysql> select * FROM data WHERE cid IN (6577,6578) AND sid=35;
+-----+------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| sid | cid  | data_payload










                         |
+-----+------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|  35 | 6577 | 
474554202F696E7374616C6C65722E6769663F616374696F6E3D66696E69736865642662726F777365723D696537267665723D315F32335F3135315F313531266269633D44364444364643434336333834434246414333323232343941333133364437314945266170703D34343933266170707665723D34302676657269666965723D31633632666139613461333633323463333635383464383134353965333662322673726369643D38383937342673756269643D64656661756C74267A646174613D38383937342673756269643D267069643D313332322666663D305F38352663683D315F32305F33372664656661756C743D6965266F733D58502661646D696E3D3126747970653D3132343137266173773D3020485454502F312E300D0A557365722D4167656E743A204E5349535F496E65746320284D6F7A696C6C61290D0A486F73743A2073746174732E63726F737372696465722E636F6D0D0A436F6E6E656374696F6E3A204B6565702D416C6976650D0A507261676D613A206E6F2D63616368650D0A0D0A
|
|  35 | 6578 | 
474554202F617070732E6769663F616374696F6E3D696E7374616C6C2662726F777365723D696537267665723D315F32335F3135315F313531266269633D44364444364643434336333834434246414333323232343941333133364437314945266170703D34343933266170707665723D34302676657269666965723D316336326661396134613336333234633336353834643831343539653336623226696E7374616C6C74696D653D313335303931383134392663757274696D653D31333530393138313439266C69666574696D653D3020485454502F312E300D0A557365722D4167656E743A204E5349535F496E65746320284D6F7A696C6C61290D0A486F73743A2073746174732E63726F737372696465722E636F6D0D0A436F6E6E656374696F6E3A204B6565702D416C6976650D0A507261676D613A206E6F2D63616368650D0A0D0A

                                                                 |
+-----+------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.03 sec)



-elz





More information about the Snort-users mailing list