[Snort-users] Barnyard2 showing no records

wkitty42 at ...14940... wkitty42 at ...14940...
Mon Sep 30 11:49:21 EDT 2013


On Wednesday, September 25, 2013 10:05 AM, Greg Martin <grmartin at ...16200...> wrote: 
> 
We have had Snort running now for a couple of months and there have really been no issues, but now all of a sudden information is not being sent from Barnyard2.  It just states that it is waiting for data.  I checked connections going from the snort machine to our mirrored port on our switch and the connection seems fine.  I am going to logon to the switch once I get an issue resolved with my logon to the switch.  Anyhow, I was wondering if you might have any ideas or be able to suggest further troubleshooting on this issue?  I restarted the snort machine as well and this did not make a difference either.

start at the beginning of the trail...

1. snort - is the defined output .u2 file gaining content

if the defined unified2 output file is filling up, then move to step 2 otherwise you need to figure out why snort is not seeing traffic and recording alerts...

2. barnyard2 - is barnyard2 able to access and read the defined u2 file?

if yes, then move to the other half of by2... if no, then you need to figure out why by2 can no longer read the u2 file(s) it was reading previously...

3. barnyard2 - can barnyard2 communicate with the database

if yes, then traffic alerts should be flowing from snort to the output u2 file, through by2 and into the database for your tools to read from the database...

something else to consider is if network transport has been changed recently... maybe now packaged in VLAN(s)... you also mention your login to a router... it is possible that router(s) may have been compromised or otherwise altered so the traffic is not sent to snort...

that's everything i can think of... just remember to always start at the beginning of the trail... the way up the mountain is not found by dropping into the middle of the forest and striking out in any old direction hoping to hit a trail that may not even be on said mountain ;)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130930/cfbe7033/attachment.html>


More information about the Snort-users mailing list