[Snort-users] Snort & Barnyard

James james at ...16635...
Mon Dec 30 16:41:48 EST 2013


Sorry for not replying sooner - holidays have meant a delay in getting time
to test it out. That has indeed fixed it. Stuff is now appearing in the
database, thank you! So should I leave -A off all the time and put back -b
and -d?

I'm not yet seeing alerts in the GUI, but I expect that's outside the scope
of this mailing list, so I'll continue trying to fix that.

Many thanks again.

James


On 30 December 2013 14:09, Ayodele Okeowo <aymacro at ...11827...> wrote:

> Does that mean it worked?
>
> Ayo
>
>
> On Mon, Dec 23, 2013 at 10:20 AM, James Hodge <james at ...16645...> wrote:
>
>> Hi,
>>
>> Thanks for your reply. Yes, at least I think so, I'm running snort like
>> this:
>> /usr/sbin/snort -A fast -b -d -D -i eth1 -u snort -g snort -c
>> /etc/snort/snort.conf -l /usr/local/snort/var/log/eth1
>>
>> Starting barnyard without daemon mode shows this only:
>>
>> root at ...16640...:/var/www/aanval/apps# barnyard2 -c
>> /etc/snort/barnyard.conf -d /usr/local/snort/var/log/eth1 -w
>> /usr/local/snort/var/log/eth1/barnyard2.waldo -l
>> /usr/local/snort/var/log/eth1 -a /usr/local/snort/var/log/eth1/archive -f
>> snort.log -X /var/lock/barnyard2-eth1.pid
>> Running in Continuous mode
>>
>>         --== Initializing Barnyard2 ==--
>> Initializing Input Plugins!
>> Initializing Output Plugins!
>> Parsing config file "/etc/snort/barnyard.conf"
>>
>>
>> +[ Signature Suppress list ]+
>> ----------------------------
>> +[No entry in Signature Suppress List]+
>> ----------------------------
>> +[ Signature Suppress list ]+
>>
>>
>> Barnyard2 spooler: Event cache size set to [2048]
>> Log directory = /usr/local/snort/var/log/eth1
>> INFO database: Defaulting Reconnect/Transaction Error limit to 10
>> INFO database: Defaulting Reconnect sleep time to 5 second
>>
>> [SignatureReferencePullDataStore()]: No Reference found in database ...
>> database: compiled support for (mysql)
>> database: configured to use mysql
>> database: schema version = 107
>> database:           host = localhost
>> database:           user = snort_user
>> database:  database name = snortdb
>> database:    sensor name = localhost:eth1
>> database:      sensor id = 2
>> database:     sensor cid = 1
>> database:  data encoding = hex
>> database:   detail level = full
>> database:     ignore_bpf = no
>> database: using the "log" facility
>>
>>         --== Initialization Complete ==--
>>
>>   ______   -*> Barnyard2 <*-
>>  / ,,_  \  Version 2.1.13 (Build 327)
>>  |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
>>  + '''' +  (C) Copyright 2008-2013 Ian Firns <firnsy at ...14568...>
>>
>> Using waldo file '/usr/local/snort/var/log/eth1/barnyard2.waldo':
>>     spool directory = /usr/local/snort/var/log/eth1
>>     spool filebase  = snort.log
>>     time_stamp      = 1387663189
>>     record_idx      = 0
>> Opened spool file '/usr/local/snort/var/log/eth1/snort.log.1387663189'
>> Closing spool file '/usr/local/snort/var/log/eth1/snort.log.1387663189'.
>> Read 0 records
>> Opened spool file '/usr/local/snort/var/log/eth1/snort.log.1387811302'
>> Waiting for new data
>>
>> If I then press ctrl-c it says it's seen 0 for every field.
>>
>> If it helps, this is the dir in question:
>>
>> root at ...16640...:/var/www/aanval/apps# ls -al
>> /usr/local/snort/var/log/eth1/
>>
>> total 98184
>> drwxr-xr-x 4 snort snort      4096 Dec 23 15:11 .
>> drwxr-xr-x 4 snort snort      4096 Dec 21 22:27 ..
>> -rw-r--r-- 1 snort snort 100383823 Dec 23 15:13 alert
>> drwxr-xr-x 2 snort snort      4096 Dec 23 15:11 archive
>> -rw------- 1 snort snort      2056 Dec 23 15:11 barnyard2.waldo
>> -rw------- 1 snort snort    128173 Dec 23 15:13 snort.log.1387811302
>>
>>
>>
>> On 22 December 2013 23:29, Ayodele Okeowo <aymacro at ...11827...> wrote:
>>
>>> When you ran snort did you use the ' console -A' switch? Also did you
>>> test tour barnyard without daemon?
>>> On Dec 22, 2013 6:04 PM, "James" <snort at ...16635...> wrote:
>>>
>>>>  Hi all,
>>>>
>>>> I've followed this guide:
>>>> http://wiki.aanval.com/wiki/Community:Snort_2.9.2.3_Installation_Guide_for_Ubuntu_12.04,_with_Barnyard2,_Pulledpork,_and_Aanval
>>>> but using the most current Snort + Barnyard and everything seems to
>>>> have installed and start-up correctly, but I'm not seeing anything get
>>>> logged into the MySQL database. There were a few mistakes in the guide,
>>>> which I've managed to fix with a bit of Googling, but I can't seem to solve
>>>> this. I realise you're probably going to need more information to be able
>>>> to help, but don't know enough yet to guess what that might be. Can anyone
>>>> help please? The alternative is I wipe it all and start again in the hope I
>>>> just missed something stupid the first time, but hopefully someone could
>>>> help me avoid that?
>>>>
>>>> Thanks
>>>> James
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Rapidly troubleshoot problems before they affect your business. Most IT
>>>> organizations don't have a clear picture of how application performance
>>>> affects their revenue. With AppDynamics, you get 100% visibility into
>>>> your
>>>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of
>>>> AppDynamics Pro!
>>>>
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>> Snort news!
>>>>
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> Rapidly troubleshoot problems before they affect your business. Most IT
>> organizations don't have a clear picture of how application performance
>> affects their revenue. With AppDynamics, you get 100% visibility into your
>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
>> Pro!
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20131230/cdb5d666/attachment.html>


More information about the Snort-users mailing list