[Snort-users] barnyard2 failing

Jeremy Hoel jthoel at ...11827...
Wed Jun 19 20:59:18 EDT 2013


The problem is in the error message.  Check your flags.
On Jun 19, 2013 6:55 PM, "Herminio Hernandez" <
herminio.hernandezjr at ...11827...> wrote:

> Thanks for the advice I got barnyard2 installed. However I am now getting
> this error.
>
> $ sudo barnyard2 -c /opt/local/etc/barnyard2/barnyard2.conf -g
> /opt/local/etc/snort/gen-msg.map -s /opt/local/etc/snort/sid-msg.map -d
> /var/log/snort -f snort.u2.1371688964 -w /var/log/snort/barnyard.waldo
> ERROR: Group "/opt/local/etc/snort/gen-msg.map" unknown.
> Fatal Error, Quitting..
> Barnyard2 exiting
>
>
> On Jun 17, 2013, at 11:05 PM, beenph <beenph at ...11827...> wrote:
>
> > On Mon, Jun 17, 2013 at 11:58 PM, Herminio Hernandez
> > <herminio.hernandezjr at ...11827...> wrote:
> >> I have compiles barnyard2 to write snort logs to my postgresql database
> but it is failing. Below is what I get
> >>
> >> $ barnyard -c /opt/local/etc/barnyard2/barnyard2.conf -g
> /opt/local/etc/snort/gen-msg.map -s /opt/local/etc/snort/sid-msg.map -d
> /var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo
> >> Barnyard Version 0.2.0 (Build 32)
> >> Unrecognized config directive: 'reference_file:
>  /opt/local/etc/snort/reference.config'
> >> Unrecognized config directive: 'classification_file:
> /opt/local/etc/snort/classification.config'
> >> Unrecognized config directive: 'gen_file:
>  /opt/local/etc/snort/gen-msg.map'
> >> Unrecognized config directive: 'sid_file:
>  /opt/local/etc/snort/sid-msg.map'
> >> Unrecognized config directive: 'logdir: /var/log/snort'
> >> FATAL ERROR /opt/local/etc/barnyard2/barnyard2.conf(70) => Unknown
> directive: snort
> >> Fatal Error, Quitting..
> >> Exiting
> >>
> > Are you sure you compiled barnyard2?
> >
> > seem's like you compiled barnyard1 version 0.2.0..
> >
> > You can get current barnyard2 master here:
> https://github.com/firnsy/barnyard2
> >
> > Direct tar.gz link =
> https://github.com/firnsy/barnyard2/archive/master.tar.gz
> >
> >
> >> here is my conf file any help will be appreciated
> >>
> >> $ cat /opt/local/etc/barnyard2/barnyard2.conf
> >> #
> >> #  Barnyard2 example configuration file
> >> #
> >>
> >> #
> >> # This file contains a sample barnyard2 configuration.
> >> # You can take the following steps to create your own custom
> configuration:
> >> #
> >> #   1) Configure the variable declarations
> >> #   2) Setup the input plugins
> >> #   3) Setup the output plugins
> >> #
> >>
> >> #
> >> # Step 1: configure the variable declarations
> >> #
> >>
> >> # in order to keep from having a commandline that uses every letter in
> the
> >> # alphabet most configuration options are set here.
> >>
> >> # use UTC for timestamps
> >> #
> >> #config utc
> >>
> >> # set the appropriate paths to the file(s) your Snort process is using.
> >> #
> >> config reference_file:      /opt/local/etc/snort/reference.config
> >> config classification_file: /opt/local/etc/snort/classification.config
> >> config gen_file:            /opt/local/etc/snort/gen-msg.map
> >> config sid_file:            /opt/local/etc/snort/sid-msg.map
> >>
> >>
> >> # Configure signature suppression at the spooler level see
> doc/README.sig_suppress
> >> #
> >> #
> >> #config sig_suppress: 1:10
> >>
> >>
> >> # Set the event cache size to defined max value before recycling of
> event occur.
> >> #
> >> #
> >> #config event_cache_size: 4096
> >>
> >> # define dedicated references similar to that of snort.
> >> #
> >> #config reference: mybugs http://www.mybugs.com/?s=
> >>
> >> # define explicit classifications similar to that of snort.
> >> #
> >> #config classification: shortname, short description, priority
> >>
> >> # set the directory for any output logging
> >> #
> >> config logdir: /var/log/snort
> >>
> >> # to ensure that any plugins requiring some level of uniqueness in
> their output
> >> # the alert_with_interface_name, interface and hostname directives are
> provided.
> >> # An example of usage would be to configure them to the values of the
> associated
> >> # snort process whose unified files you are reading.
> >> #
> >> # Example:
> >> #   For a snort process as follows:
> >> #     snort -i eth0 -c /etc/snort.conf
> >> #
> >> #   Typical options would be:
> >> #     config hostname:  thor
> >> #     config interface: eth0
> >> #     config alert_with_interface_name
> >> #
> >> snort -i en1 -c /opt/local/etc/snort/snort.conf
> >>
> >> # enable printing of the interface name when alerting.
> >> #
> >> config alert_with_interface_name
> >>
> >> # at times snort will alert on a packet within a stream and dump that
> stream to
> >> # the unified output. barnyard2 can generate output on each packet of
> that
> >> # stream or the first packet only.
> >> #
> >> config alert_on_each_packet_in_stream
> >>
> >> # enable daemon mode
> >> #
> >> config daemon
> >>
> >> # make barnyard2 process chroot to directory after initialisation.
> >> #
> >> #config chroot: /var/spool/barnyard2
> >>
> >> # specifiy the group or GID for barnyard2 to run as after
> initialisation.
> >> #
> >> #config set_gid: 999
> >>
> >> # specifiy the user or UID for barnyard2 to run as after initialisation.
> >> #
> >> #config set_uid: 999
> >>
> >> # specify the directory for the barnyard2 PID file.
> >> #
> >> #config pidpath: /var/run/by2.pid
> >>
> >> # enable decoding of the data link (or second level headers).
> >> #
> >> #config decode_data_link
> >>
> >> # dump the application data
> >> #
> >> #config dump_payload
> >>
> >> # dump the application data as chars only
> >> #
> >> #config dump_chars_only
> >>
> >> # enable verbose dumping of payload information in log style output
> plugins.
> >> #
> >> #config dump_payload_verbose
> >>
> >> # enable obfuscation of logged IP addresses.
> >> #
> >> #config obfuscate
> >>
> >> # enable the year being shown in timestamps
> >> #
> >> config show_year
> >>
> >> # set the umask for all files created by the barnyard2 process (eg. log
> files).
> >> #
> >> #config umask: 066
> >>
> >> # enable verbose logging
> >> #
> >> config verbose
> >>
> >> # quiet down some of the output
> >> #
> >> #config quiet
> >>
> >> # define the full waldo filepath.
> >> #
> >> #config waldo_file: /tmp/waldo
> >>
> >> # specificy the maximum length of the MPLS label chain
> >> #
> >> #config max_mpls_labelchain_len: 64
> >>
> >> # specify the protocol (ie ipv4, ipv6, ethernet) that is encapsulated
> by MPLS.
> >> #
> >> #config mpls_payload_type: ipv4
> >>
> >> # set the reference network or homenet which is predominantly used by
> the
> >> # log_ascii plugin.
> >> #
> >> #config reference_net: 192.168.0.0/24
> >>
> >> #
> >> # CONTINOUS MODE
> >> #
> >>
> >> # set the archive directory for use with continous mode
> >> #
> >> config archivedir: /var/log/snort/archive
> >>
> >> # when in operating in continous mode, only process new records and
> ignore any
> >> # existing unified files
> >> #
> >> config process_new_records_only
> >>
> >>
> >> #
> >> # Step 2: setup the input plugins
> >> #
> >>
> >> # this is not hard, only unified2 is supported ;)
> >> input unified2
> >>
> >>
> >> #
> >> # Step 3: setup the output plugins
> >> #
> >>
> >> # alert_cef
> >> #
> ----------------------------------------------------------------------------
> >> #
> >> # Purpose:
> >> #  This output module provides the abilty to output alert information
> to a
> >> # remote network host as well as the local host using the open standard
> >> # Common Event Format (CEF).
> >> #
> >> # Arguments: host=hostname[:port], severity facility
> >> #            arguments should be comma delimited.
> >> #   host        - specify a remote hostname or IP with optional port
> number
> >> #                 this is only specific to WIN32 (and is not yet fully
> supported)
> >> #   severity    - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
> >> #   facility    - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
> >> #
> >> # Examples:
> >> #   output alert_cef
> >> #   output alert_cef: host=192.168.10.1
> >> #   output alert_cef: host=sysserver.com:1001
> >> #   output alert_cef: LOG_AUTH LOG_INFO
> >> #
> >>
> >> # alert_bro
> >> #
> ----------------------------------------------------------------------------
> >> #
> >> # Purpose: Send alerts to a Bro-IDS instance.
> >> #
> >> # Arguments: hostname:port
> >> #
> >> # Examples:
> >> #   output alert_bro: 127.0.0.1:47757
> >>
> >> # alert_fast
> >> #
> ----------------------------------------------------------------------------
> >> # Purpose: Converts data to an approximation of Snort's "fast alert"
> mode.
> >> #
> >> # Arguments: file <file>, stdout
> >> #            arguments should be comma delimited.
> >> #   file - specifiy alert file
> >> #   stdout - no alert file, just print to screen
> >> #
> >> # Examples:
> >> #   output alert_fast
> >> #   output alert_fast: stdout
> >> #
> >> output alert_fast: /var/log/snort/snort-alert.log
> >>
> >>
> >> # prelude: log to the Prelude Hybrid IDS system
> >> #
> ----------------------------------------------------------------------------
> >> #
> >> # Purpose:
> >> #  This output module provides logging to the Prelude Hybrid IDS system
> >> #
> >> # Arguments: profile=snort-profile
> >> #   snort-profile   - name of the Prelude profile to use (default is
> snort).
> >> #
> >> # Snort priority to IDMEF severity mappings:
> >> # high < medium < low < info
> >> #
> >> # These are the default mapped from classification.config:
> >> # info   = 4
> >> # low    = 3
> >> # medium = 2
> >> # high   = anything below medium
> >> #
> >> # Examples:
> >> #   output alert_prelude
> >> #   output alert_prelude: profile=snort-profile-name
> >> #
> >>
> >>
> >> # alert_syslog
> >> #
> ----------------------------------------------------------------------------
> >> #
> >> # Purpose:
> >> #  This output module provides the abilty to output alert information
> to local syslog
> >> #
> >> #   severity    - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
> >> #   facility    - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
> >> #
> >> # Examples:
> >> #   output alert_syslog
> >> #   output alert_syslog: LOG_AUTH LOG_INFO
> >> #
> >> output alert_syslog: LOG_LOCAL5 LOG_INFO
> >>
> >> # syslog_full
> >> #-------------------------------
> >> # Available as both a log and alert output plugin.  Used to output data
> via TCP/UDP or LOCAL ie(syslog())
> >> # Arguments:
> >> #      sensor_name $sensor_name         - unique sensor name
> >> #      server $server                   - server the device will report
> to
> >> #      local                            - if defined, ignore all remote
> information and use syslog() to send message.
> >> #      protocol $protocol               - protocol device will report
> over (tcp/udp)
> >> #      port $port                       - destination port device will
> report to (default: 514)
> >> #      delimiters $delimiters           - define a character that will
> delimit message sections ex:  "|", will use | as message section
> delimiters. (default: |)
> >> #      separators $separators           - define field separator
> included in each message ex: " " ,  will use space as field separator.
>         (default: [:space:])
> >> #      operation_mode $operaion_mode    - default | complete : default
> mode is compatible with default snort syslog message, complete prints more
> information such as the raw packet (hexed)
> >> #      log_priority   $log_priority     - used by local option for
> syslog priority call. (man syslog(3) for supported options) (default:
> LOG_INFO)
> >> #      log_facility  $log_facility      - used by local option for
> syslog facility call. (man syslog(3) for supported options) (default:
> LOG_USER)
> >> #      payload_encoding                 - (default: hex)  support
> hex/ascii/base64 for log_syslog_full using operation_mode complete only.
> >>
> >> # Usage Examples:
> >> # output alert_syslog_full: sensor_name snortIds1-eth2, server
> xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode default
> >> # output alert_syslog_full: sensor_name snortIds1-eth2, server
> xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode complete
> >> # output log_syslog_full: sensor_name snortIds1-eth2, server
> xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode default
> >> # output log_syslog_full: sensor_name snortIds1-eth2, server
> xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode complete
> >> # output alert_syslog_full: sensor_name snortIds1-eth2, server
> xxx.xxx.xxx.xxx, protocol udp, port 514
> >> # output log_syslog_full: sensor_name snortIds1-eth2, server
> xxx.xxx.xxx.xxx, protocol udp, port 514
> >> # output alert_syslog_full: sensor_name snortIds1-eth2, local
> >> # output log_syslog_full: sensor_name snortIds1-eth2, local,
> log_priority LOG_CRIT,log_facility LOG_CRON
> >> output log_syslog_full: sensor_name snortIds1-eth2, local, log_priority
> LOG_CRIT,log_facility LOG_CRON
> >>
> >> # log_ascii
> >> #
> ----------------------------------------------------------------------------
> >> #
> >> # Purpose: This output module provides the default packet logging
> funtionality
> >> #
> >> # Arguments: None.
> >> #
> >> # Examples:
> >> #   output log_ascii
> >> #
> >>
> >>
> >> # log_tcpdump
> >> #
> ----------------------------------------------------------------------------
> >> #
> >> # Purpose
> >> #  This output module logs packets in binary tcpdump format
> >> #
> >> # Arguments:
> >> #   The only argument is the output file name.
> >> #
> >> # Examples:
> >> #   output log_tcpdump: tcpdump.log
> >> #
> >>
> >>
> >> # sguil
> >> #
> ----------------------------------------------------------------------------
> >> #
> >> # Purpose: This output module provides logging ability for the sguil
> interface
> >> # See doc/README.sguil
> >> #
> >> # Arguments: agent_port <port>, sensor_name <name>
> >> #            arguments should be comma delimited.
> >> #   agent_port  - explicitly set the sguil agent listening port
> >> #                 (default: 7736)
> >> #   sensor_name - explicitly set the sensor name
> >> #                 (default: machine hostname)
> >> #
> >> # Examples:
> >> #   output sguil
> >> #   output sguil: agent_port=7000
> >> #   output sguil: sensor_name=argyle
> >> #   output sguil: agent_port=7000, sensor_name=argyle
> >> #
> >>
> >>
> >> # database: log to a variety of databases
> >> #
> ----------------------------------------------------------------------------
> >> #
> >> # Purpose: This output module provides logging ability to a variety of
> databases
> >> # See doc/README.database for additional information.
> >> #
> >> # Examples:
> >> #   output database: log, mysql, user=root password=test dbname=db
> host=localhost
> >> #   output database: alert, postgresql, user=snort dbname=snort
> >> #   output database: log, odbc, user=snort dbname=snort
> >> #   output database: log, mssql, dbname=snort user=snort password=test
> >> #   output database: log, oracle, dbname=snort user=snort password=test
> >> #
> >> output database: alert, postgresql, user=postgresql dbname=snortdb
> host=localhost password=XXXXXXXXX
> >> output database: log, postgresql, user=postgresql dbname=snortdb
> host=localhost password=XXXXXXXXX
> >>
> >> # alert_fwsam: allow blocking of IP's through remote services
> >> #
> ----------------------------------------------------------------------------
> >> # output alert_fwsam: <SnortSam Station>:<port>/<key>
> >> #
> >> #  <FW Mgmt Station>:  IP address or host name of the host running
> SnortSam.
> >> #  <port>:         Port the remote SnortSam service listens on (default
> 898).
> >> #  <key>:              Key used for authentication (encryption really)
> >> #              of the communication to the remote service.
> >> #
> >> # Examples:
> >> #
> >> # output alert_fwsam: snortsambox/idspassword
> >> # output alert_fwsam: fw1.domain.tld:898/mykey
> >> # output alert_fwsam: 192.168.0.1/borderfw  192.168.1.254/wanfw
> >> #
> >>
> >>
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> This SF.net email is sponsored by Windows:
> >>
> >> Build for Windows Store.
> >>
> >> http://p.sf.net/sfu/windows-dev2dev
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >>
> >> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130620/fdf4775b/attachment.html>


More information about the Snort-users mailing list