[Snort-users] AANVAL or MYSQL question

Gierczak, Stan SGierczak at ...16714...
Mon Apr 21 13:54:50 EDT 2014



Like I said.  You are losing me a little.  I am running barnyard as a startup when the system comes up, or by:
service barnyard2 start/stop

I believe that all the configuration then comes from the /usr/local/etc/barnyard2.conf.
In that file are the following which are uncommented:
config reference_file:      /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file:            /etc/snort/gen-msg.map
config sid_file:                /etc/snort/sid-msg.map
config daemon
input unified2
output alert_fast: stdout
output database: log, mysql, user=snort_user password=snortuser dbname=snortdb host=localhost

When I stop and start barnyard, the following gets generated in the syslog file:

Apr 21 12:44:08 rlicsnortids1 barnyard2[2014]: Running in Continuous mode
Apr 21 12:44:08 rlicsnortids1 barnyard2[2014]:
Apr 21 12:44:08 rlicsnortids1 barnyard2[2014]:         --== Initializing Barnyard2 ==--
Apr 21 12:44:08 rlicsnortids1 barnyard2[2014]: Initializing Input Plugins!
Apr 21 12:44:08 rlicsnortids1 barnyard2[2014]: Initializing Output Plugins!
Apr 21 12:44:08 rlicsnortids1 barnyard2[2014]: Parsing config file "/etc/snort/barnyard.conf"
Apr 21 12:44:09 rlicsnortids1 barnyard2[2014]: Log directory = /var/log/snort/eth0
Apr 21 12:44:09 rlicsnortids1 barnyard2[2014]: Initializing daemon mode
Apr 21 12:44:09 rlicsnortids1 barnyard2[2014]: Daemon parent exiting
Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: Daemon initialized, signaled parent pid: 2014
Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: PID path stat checked out ok, PID path set to /var/run/
Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: Writing PID "2015" to file "/var/run//barnyard2_NULL.pid"
Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: compiled support for (mysql)
Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: configured to use mysql
Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: schema version = 107
Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database:           host = localhost
Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database:           user = snort_user
Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database:  database name = snortdb					This is the correct snortdb
Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database:    sensor name = rlicsnortids1:NULL
Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database:      sensor id = 1
Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database:     sensor cid = 1
Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database:  data encoding = hex
Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database:   detail level = full
Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database:     ignore_bpf = no
Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: using the "log" facility
Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]:
Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]:         --== Initialization Complete ==--
Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: Barnyard2 initialization completed successfully (pid=2015)
Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: WARNING: Ignoring corrupt/truncated waldofile '/var/log/snort/eth0/barnyard2.waldo'
Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: Opened spool file '/var/log/snort/eth0/snort.log.1398100514'				This is the correct location for the snort log
Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: Waiting for new data

Thanks for your help again.



On 4/17/2014 12:39 PM, Gierczak, Stan wrote:
> Sorry, this is where you are losing me, I think.
>
> What I believe the answer is that barnyard2 is being run as a service.  
> The executable that was created is from the install guide at 
> http://wiki.aanval.com/wiki/Community:Snort_2.9.2.3_Installation_Guide
> _for_Ubuntu_12.04,_with_Barnyard2,_Pulledpork,_and_Aanval

you forgot to supply the requested startup command line for your barnyard2.

you forgot to say if your barnyard2 is being pointed to the proper snort log directory. this might be done on the command line or possibly inside the
barnyard2 config.

--
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list