[Snort-users] AANVAL or MYSQL question

Gierczak, Stan SGierczak at ...16714...
Wed Apr 16 11:19:25 EDT 2014


I have just finished installing snort/barnyard/aanval.
I can see that snort is working.  I see messages queuing in the alert file in /var/log/snort/eth0.
Not sure if barnyard is not populating mysql or if aanval is not working.
I got this message in aanval under configuration/snort module settings:
[cid:image001.png at ...16789...]

I verified that the db is correct as is the user name and password.

I have this in the syslog for when barnyard loads:
Apr 16 09:36:01 rlicsnortids1 barnyard2[1456]: Running in Continuous mode
Apr 16 09:36:01 rlicsnortids1 barnyard2[1456]:
Apr 16 09:36:01 rlicsnortids1 barnyard2[1456]:         --== Initializing Barnyard2 ==--
Apr 16 09:36:01 rlicsnortids1 barnyard2[1456]: Initializing Input Plugins!
Apr 16 09:36:01 rlicsnortids1 barnyard2[1456]: Initializing Output Plugins!
Apr 16 09:36:01 rlicsnortids1 barnyard2[1456]: Parsing config file "/etc/snort/barnyard.conf"
Apr 16 09:36:04 rlicsnortids1 barnyard2[1456]: Log directory = /var/log/snort/eth0
Apr 16 09:36:04 rlicsnortids1 barnyard2[1456]: Initializing daemon mode
Apr 16 09:36:04 rlicsnortids1 barnyard2[1456]: Daemon parent exiting
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: Daemon initialized, signaled parent pid: 1456
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: PID path stat checked out ok, PID path set to /var/run/
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: Writing PID "1457" to file "/var/run//barnyard2_NULL.pid"
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database: compiled support for (mysql)
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database: configured to use mysql
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database: schema version = 107
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database:           host = localhost
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database:           user = snort_user
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database:  database name = snortdb
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database:    sensor name = rlicsnortids1:NULL
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database:      sensor id = 1
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database:     sensor cid = 1
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database:  data encoding = hex
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database:   detail level = full
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database:     ignore_bpf = no
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database: using the "log" facility
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]:
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]:         --== Initialization Complete ==--
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: Barnyard2 initialization completed successfully (pid=1457)
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: WARNING: Unable to open waldo file '/var/log/snort/eth0/barnyard2.waldo' (No such file or directory)
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: Opened spool file '/var/log/snort/eth0/snort.log.1397656582'
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: Closing spool file '/var/log/snort/eth0/snort.log.1397656582'. Read 0 records
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: Opened spool file '/var/log/snort/eth0/snort.log.1397658954'
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: Waiting for new data

The only error I see is about WALDO.  Not sure if that is an issue or not.

Again thanks everyone for all the help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140416/e30f7249/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 4403 bytes
Desc: image001.png
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140416/e30f7249/attachment.png>


More information about the Snort-users mailing list