[Snort-users] barnyard2 failing

Herminio Hernandez Jr. herminio.hernandezjr at ...11827...
Thu Jun 20 21:49:58 EDT 2013


I changed and got barnyard2 to run. How do I verify that it is writing to the database?

Sent from my iPhone

On Jun 19, 2013, at 7:59 PM, Jeremy Hoel <jthoel at ...11827...> wrote:

> The problem is in the error message.  Check your flags.
> 
> On Jun 19, 2013 6:55 PM, "Herminio Hernandez" <herminio.hernandezjr at ...5119...827...> wrote:
>> Thanks for the advice I got barnyard2 installed. However I am now getting this error.
>> 
>> $ sudo barnyard2 -c /opt/local/etc/barnyard2/barnyard2.conf -g /opt/local/etc/snort/gen-msg.map -s /opt/local/etc/snort/sid-msg.map -d /var/log/snort -f snort.u2.1371688964 -w /var/log/snort/barnyard.waldo
>> ERROR: Group "/opt/local/etc/snort/gen-msg.map" unknown.
>> Fatal Error, Quitting..
>> Barnyard2 exiting
>> 
>> 
>> On Jun 17, 2013, at 11:05 PM, beenph <beenph at ...11827...> wrote:
>> 
>> > On Mon, Jun 17, 2013 at 11:58 PM, Herminio Hernandez
>> > <herminio.hernandezjr at ...11827...> wrote:
>> >> I have compiles barnyard2 to write snort logs to my postgresql database but it is failing. Below is what I get
>> >>
>> >> $ barnyard -c /opt/local/etc/barnyard2/barnyard2.conf -g /opt/local/etc/snort/gen-msg.map -s /opt/local/etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo
>> >> Barnyard Version 0.2.0 (Build 32)
>> >> Unrecognized config directive: 'reference_file:      /opt/local/etc/snort/reference.config'
>> >> Unrecognized config directive: 'classification_file: /opt/local/etc/snort/classification.config'
>> >> Unrecognized config directive: 'gen_file:            /opt/local/etc/snort/gen-msg.map'
>> >> Unrecognized config directive: 'sid_file:            /opt/local/etc/snort/sid-msg.map'
>> >> Unrecognized config directive: 'logdir: /var/log/snort'
>> >> FATAL ERROR /opt/local/etc/barnyard2/barnyard2.conf(70) => Unknown directive: snort
>> >> Fatal Error, Quitting..
>> >> Exiting
>> >>
>> > Are you sure you compiled barnyard2?
>> >
>> > seem's like you compiled barnyard1 version 0.2.0..
>> >
>> > You can get current barnyard2 master here: https://github.com/firnsy/barnyard2
>> >
>> > Direct tar.gz link = https://github.com/firnsy/barnyard2/archive/master.tar.gz
>> >
>> >
>> >> here is my conf file any help will be appreciated
>> >>
>> >> $ cat /opt/local/etc/barnyard2/barnyard2.conf
>> >> #
>> >> #  Barnyard2 example configuration file
>> >> #
>> >>
>> >> #
>> >> # This file contains a sample barnyard2 configuration.
>> >> # You can take the following steps to create your own custom configuration:
>> >> #
>> >> #   1) Configure the variable declarations
>> >> #   2) Setup the input plugins
>> >> #   3) Setup the output plugins
>> >> #
>> >>
>> >> #
>> >> # Step 1: configure the variable declarations
>> >> #
>> >>
>> >> # in order to keep from having a commandline that uses every letter in the
>> >> # alphabet most configuration options are set here.
>> >>
>> >> # use UTC for timestamps
>> >> #
>> >> #config utc
>> >>
>> >> # set the appropriate paths to the file(s) your Snort process is using.
>> >> #
>> >> config reference_file:      /opt/local/etc/snort/reference.config
>> >> config classification_file: /opt/local/etc/snort/classification.config
>> >> config gen_file:            /opt/local/etc/snort/gen-msg.map
>> >> config sid_file:            /opt/local/etc/snort/sid-msg.map
>> >>
>> >>
>> >> # Configure signature suppression at the spooler level see doc/README.sig_suppress
>> >> #
>> >> #
>> >> #config sig_suppress: 1:10
>> >>
>> >>
>> >> # Set the event cache size to defined max value before recycling of event occur.
>> >> #
>> >> #
>> >> #config event_cache_size: 4096
>> >>
>> >> # define dedicated references similar to that of snort.
>> >> #
>> >> #config reference: mybugs http://www.mybugs.com/?s=
>> >>
>> >> # define explicit classifications similar to that of snort.
>> >> #
>> >> #config classification: shortname, short description, priority
>> >>
>> >> # set the directory for any output logging
>> >> #
>> >> config logdir: /var/log/snort
>> >>
>> >> # to ensure that any plugins requiring some level of uniqueness in their output
>> >> # the alert_with_interface_name, interface and hostname directives are provided.
>> >> # An example of usage would be to configure them to the values of the associated
>> >> # snort process whose unified files you are reading.
>> >> #
>> >> # Example:
>> >> #   For a snort process as follows:
>> >> #     snort -i eth0 -c /etc/snort.conf
>> >> #
>> >> #   Typical options would be:
>> >> #     config hostname:  thor
>> >> #     config interface: eth0
>> >> #     config alert_with_interface_name
>> >> #
>> >> snort -i en1 -c /opt/local/etc/snort/snort.conf
>> >>
>> >> # enable printing of the interface name when alerting.
>> >> #
>> >> config alert_with_interface_name
>> >>
>> >> # at times snort will alert on a packet within a stream and dump that stream to
>> >> # the unified output. barnyard2 can generate output on each packet of that
>> >> # stream or the first packet only.
>> >> #
>> >> config alert_on_each_packet_in_stream
>> >>
>> >> # enable daemon mode
>> >> #
>> >> config daemon
>> >>
>> >> # make barnyard2 process chroot to directory after initialisation.
>> >> #
>> >> #config chroot: /var/spool/barnyard2
>> >>
>> >> # specifiy the group or GID for barnyard2 to run as after initialisation.
>> >> #
>> >> #config set_gid: 999
>> >>
>> >> # specifiy the user or UID for barnyard2 to run as after initialisation.
>> >> #
>> >> #config set_uid: 999
>> >>
>> >> # specify the directory for the barnyard2 PID file.
>> >> #
>> >> #config pidpath: /var/run/by2.pid
>> >>
>> >> # enable decoding of the data link (or second level headers).
>> >> #
>> >> #config decode_data_link
>> >>
>> >> # dump the application data
>> >> #
>> >> #config dump_payload
>> >>
>> >> # dump the application data as chars only
>> >> #
>> >> #config dump_chars_only
>> >>
>> >> # enable verbose dumping of payload information in log style output plugins.
>> >> #
>> >> #config dump_payload_verbose
>> >>
>> >> # enable obfuscation of logged IP addresses.
>> >> #
>> >> #config obfuscate
>> >>
>> >> # enable the year being shown in timestamps
>> >> #
>> >> config show_year
>> >>
>> >> # set the umask for all files created by the barnyard2 process (eg. log files).
>> >> #
>> >> #config umask: 066
>> >>
>> >> # enable verbose logging
>> >> #
>> >> config verbose
>> >>
>> >> # quiet down some of the output
>> >> #
>> >> #config quiet
>> >>
>> >> # define the full waldo filepath.
>> >> #
>> >> #config waldo_file: /tmp/waldo
>> >>
>> >> # specificy the maximum length of the MPLS label chain
>> >> #
>> >> #config max_mpls_labelchain_len: 64
>> >>
>> >> # specify the protocol (ie ipv4, ipv6, ethernet) that is encapsulated by MPLS.
>> >> #
>> >> #config mpls_payload_type: ipv4
>> >>
>> >> # set the reference network or homenet which is predominantly used by the
>> >> # log_ascii plugin.
>> >> #
>> >> #config reference_net: 192.168.0.0/24
>> >>
>> >> #
>> >> # CONTINOUS MODE
>> >> #
>> >>
>> >> # set the archive directory for use with continous mode
>> >> #
>> >> config archivedir: /var/log/snort/archive
>> >>
>> >> # when in operating in continous mode, only process new records and ignore any
>> >> # existing unified files
>> >> #
>> >> config process_new_records_only
>> >>
>> >>
>> >> #
>> >> # Step 2: setup the input plugins
>> >> #
>> >>
>> >> # this is not hard, only unified2 is supported ;)
>> >> input unified2
>> >>
>> >>
>> >> #
>> >> # Step 3: setup the output plugins
>> >> #
>> >>
>> >> # alert_cef
>> >> # ----------------------------------------------------------------------------
>> >> #
>> >> # Purpose:
>> >> #  This output module provides the abilty to output alert information to a
>> >> # remote network host as well as the local host using the open standard
>> >> # Common Event Format (CEF).
>> >> #
>> >> # Arguments: host=hostname[:port], severity facility
>> >> #            arguments should be comma delimited.
>> >> #   host        - specify a remote hostname or IP with optional port number
>> >> #                 this is only specific to WIN32 (and is not yet fully supported)
>> >> #   severity    - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
>> >> #   facility    - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
>> >> #
>> >> # Examples:
>> >> #   output alert_cef
>> >> #   output alert_cef: host=192.168.10.1
>> >> #   output alert_cef: host=sysserver.com:1001
>> >> #   output alert_cef: LOG_AUTH LOG_INFO
>> >> #
>> >>
>> >> # alert_bro
>> >> # ----------------------------------------------------------------------------
>> >> #
>> >> # Purpose: Send alerts to a Bro-IDS instance.
>> >> #
>> >> # Arguments: hostname:port
>> >> #
>> >> # Examples:
>> >> #   output alert_bro: 127.0.0.1:47757
>> >>
>> >> # alert_fast
>> >> # ----------------------------------------------------------------------------
>> >> # Purpose: Converts data to an approximation of Snort's "fast alert" mode.
>> >> #
>> >> # Arguments: file <file>, stdout
>> >> #            arguments should be comma delimited.
>> >> #   file - specifiy alert file
>> >> #   stdout - no alert file, just print to screen
>> >> #
>> >> # Examples:
>> >> #   output alert_fast
>> >> #   output alert_fast: stdout
>> >> #
>> >> output alert_fast: /var/log/snort/snort-alert.log
>> >>
>> >>
>> >> # prelude: log to the Prelude Hybrid IDS system
>> >> # ----------------------------------------------------------------------------
>> >> #
>> >> # Purpose:
>> >> #  This output module provides logging to the Prelude Hybrid IDS system
>> >> #
>> >> # Arguments: profile=snort-profile
>> >> #   snort-profile   - name of the Prelude profile to use (default is snort).
>> >> #
>> >> # Snort priority to IDMEF severity mappings:
>> >> # high < medium < low < info
>> >> #
>> >> # These are the default mapped from classification.config:
>> >> # info   = 4
>> >> # low    = 3
>> >> # medium = 2
>> >> # high   = anything below medium
>> >> #
>> >> # Examples:
>> >> #   output alert_prelude
>> >> #   output alert_prelude: profile=snort-profile-name
>> >> #
>> >>
>> >>
>> >> # alert_syslog
>> >> # ----------------------------------------------------------------------------
>> >> #
>> >> # Purpose:
>> >> #  This output module provides the abilty to output alert information to local syslog
>> >> #
>> >> #   severity    - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
>> >> #   facility    - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
>> >> #
>> >> # Examples:
>> >> #   output alert_syslog
>> >> #   output alert_syslog: LOG_AUTH LOG_INFO
>> >> #
>> >> output alert_syslog: LOG_LOCAL5 LOG_INFO
>> >>
>> >> # syslog_full
>> >> #-------------------------------
>> >> # Available as both a log and alert output plugin.  Used to output data via TCP/UDP or LOCAL ie(syslog())
>> >> # Arguments:
>> >> #      sensor_name $sensor_name         - unique sensor name
>> >> #      server $server                   - server the device will report to
>> >> #      local                            - if defined, ignore all remote information and use syslog() to send message.
>> >> #      protocol $protocol               - protocol device will report over (tcp/udp)
>> >> #      port $port                       - destination port device will report to (default: 514)
>> >> #      delimiters $delimiters           - define a character that will delimit message sections ex:  "|", will use | as message section delimiters. (default: |)
>> >> #      separators $separators           - define field separator included in each message ex: " " ,  will use space as field separator.             (default: [:space:])
>> >> #      operation_mode $operaion_mode    - default | complete : default mode is compatible with default snort syslog message, complete prints more information such as the raw packet (hexed)
>> >> #      log_priority   $log_priority     - used by local option for syslog priority call. (man syslog(3) for supported options) (default: LOG_INFO)
>> >> #      log_facility  $log_facility      - used by local option for syslog facility call. (man syslog(3) for supported options) (default: LOG_USER)
>> >> #      payload_encoding                 - (default: hex)  support hex/ascii/base64 for log_syslog_full using operation_mode complete only.
>> >>
>> >> # Usage Examples:
>> >> # output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode default
>> >> # output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode complete
>> >> # output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode default
>> >> # output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode complete
>> >> # output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514
>> >> # output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514
>> >> # output alert_syslog_full: sensor_name snortIds1-eth2, local
>> >> # output log_syslog_full: sensor_name snortIds1-eth2, local, log_priority LOG_CRIT,log_facility LOG_CRON
>> >> output log_syslog_full: sensor_name snortIds1-eth2, local, log_priority LOG_CRIT,log_facility LOG_CRON
>> >>
>> >> # log_ascii
>> >> # ----------------------------------------------------------------------------
>> >> #
>> >> # Purpose: This output module provides the default packet logging funtionality
>> >> #
>> >> # Arguments: None.
>> >> #
>> >> # Examples:
>> >> #   output log_ascii
>> >> #
>> >>
>> >>
>> >> # log_tcpdump
>> >> # ----------------------------------------------------------------------------
>> >> #
>> >> # Purpose
>> >> #  This output module logs packets in binary tcpdump format
>> >> #
>> >> # Arguments:
>> >> #   The only argument is the output file name.
>> >> #
>> >> # Examples:
>> >> #   output log_tcpdump: tcpdump.log
>> >> #
>> >>
>> >>
>> >> # sguil
>> >> # ----------------------------------------------------------------------------
>> >> #
>> >> # Purpose: This output module provides logging ability for the sguil interface
>> >> # See doc/README.sguil
>> >> #
>> >> # Arguments: agent_port <port>, sensor_name <name>
>> >> #            arguments should be comma delimited.
>> >> #   agent_port  - explicitly set the sguil agent listening port
>> >> #                 (default: 7736)
>> >> #   sensor_name - explicitly set the sensor name
>> >> #                 (default: machine hostname)
>> >> #
>> >> # Examples:
>> >> #   output sguil
>> >> #   output sguil: agent_port=7000
>> >> #   output sguil: sensor_name=argyle
>> >> #   output sguil: agent_port=7000, sensor_name=argyle
>> >> #
>> >>
>> >>
>> >> # database: log to a variety of databases
>> >> # ----------------------------------------------------------------------------
>> >> #
>> >> # Purpose: This output module provides logging ability to a variety of databases
>> >> # See doc/README.database for additional information.
>> >> #
>> >> # Examples:
>> >> #   output database: log, mysql, user=root password=test dbname=db host=localhost
>> >> #   output database: alert, postgresql, user=snort dbname=snort
>> >> #   output database: log, odbc, user=snort dbname=snort
>> >> #   output database: log, mssql, dbname=snort user=snort password=test
>> >> #   output database: log, oracle, dbname=snort user=snort password=test
>> >> #
>> >> output database: alert, postgresql, user=postgresql dbname=snortdb host=localhost password=XXXXXXXXX
>> >> output database: log, postgresql, user=postgresql dbname=snortdb host=localhost password=XXXXXXXXX
>> >>
>> >> # alert_fwsam: allow blocking of IP's through remote services
>> >> # ----------------------------------------------------------------------------
>> >> # output alert_fwsam: <SnortSam Station>:<port>/<key>
>> >> #
>> >> #  <FW Mgmt Station>:  IP address or host name of the host running SnortSam.
>> >> #  <port>:         Port the remote SnortSam service listens on (default 898).
>> >> #  <key>:              Key used for authentication (encryption really)
>> >> #              of the communication to the remote service.
>> >> #
>> >> # Examples:
>> >> #
>> >> # output alert_fwsam: snortsambox/idspassword
>> >> # output alert_fwsam: fw1.domain.tld:898/mykey
>> >> # output alert_fwsam: 192.168.0.1/borderfw  192.168.1.254/wanfw
>> >> #
>> >>
>> >>
>> >>
>> >>
>> >> ------------------------------------------------------------------------------
>> >> This SF.net email is sponsored by Windows:
>> >>
>> >> Build for Windows Store.
>> >>
>> >> http://p.sf.net/sfu/windows-dev2dev
>> >> _______________________________________________
>> >> Snort-users mailing list
>> >> Snort-users at lists.sourceforge.net
>> >> Go to this URL to change user options or unsubscribe:
>> >> https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> Snort-users list archive:
>> >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> >>
>> >> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>> 
>> 
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by Windows:
>> 
>> Build for Windows Store.
>> 
>> http://p.sf.net/sfu/windows-dev2dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130620/957cf703/attachment.html>


More information about the Snort-users mailing list